Issue 21: Microsoft Flaw Exploited by MerkSpy, FakeBat Loader Malware Rampant, and New Intel CPU Vulnerability 'Indirector' Discovered

Top Stories 05 July 2024:

1. Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool
2. FakeBat Loader Malware Spreads Widely Through Drive-by Download Attacks
3. New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Unknown threat actors have been exploiting a now-patched vulnerability in Microsoft MSHTML, identified as CVE-2021-40444, to deliver a surveillance tool called MerkSpy. This campaign primarily targets users in Canada, India, Poland, and the U.S.

According to Fortinet FortiGuard Labs researcher Cara Lin, MerkSpy is designed to monitor user activities, capture sensitive information, and establish persistence on compromised systems. The attack begins with a Microsoft Word document posing as a job description for a software engineer role. Opening this file triggers the exploitation of CVE-2021-40444, allowing remote code execution without user interaction. This vulnerability was addressed in Microsoft’s September 2021 Patch Tuesday updates.

The exploit downloads an HTML file (“olerender.html”) from a remote server, which then executes embedded shellcode after verifying the operating system version. The file utilises ‘VirtualProtect’ to modify memory permissions, enabling the secure writing of decoded shellcode into memory. Subsequently, ‘CreateThread’ executes this shellcode, facilitating the download and execution of the next payload from the attacker’s server.

The shellcode downloads a file misleadingly named “GoogleUpdate,” which contains an injector payload. This payload evades detection and loads MerkSpy into memory. MerkSpy ensures persistence through Windows Registry changes, allowing it to launch automatically at startup. It captures screenshots, keystrokes, and login credentials from Google Chrome and MetaMask, exfiltrating this data to the URL “45.89.53[.]46/google/update[.]php.”

TLDR;

• Unknown actors exploited the patched Microsoft MSHTML vulnerability (CVE-2021-40444) to deliver MerkSpy, targeting users in Canada, India, Poland, and the U.S.
• The attack starts with a malicious Word document, exploiting CVE-2021-40444 for remote code execution, addressed in Microsoft's September 2021 updates.
• MerkSpy captures screenshots, keystrokes, and credentials, ensures persistence via Windows Registry changes, and exfiltrates data to a specified URL.

FakeBat Loader Malware Spreads Widely Through Drive-by Download Attacks

The loader-as-a-service (LaaS) known as FakeBat has become a prevalent loader malware family in 2023, distributed via drive-by download techniques, according to Sekoia. FakeBat’s primary function is to download and execute next-stage payloads such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.

Drive-by attacks use methods like SEO poisoning, malvertising, and code injections into compromised sites to trick users into downloading fake software installers or browser updates. FakeBat, also called EugenLoader and PaykLoader, has been available on underground forums since December 2022, offered by a Russian-speaking actor named Eugenfest.

FakeBat bypasses security mechanisms and allows users to generate builds using templates to trojanise legitimate software. It also includes an administration panel for monitoring installations. Initially, FakeBat used an MSI format, but since September 2023, it has switched to MSIX format with a digital signature to bypass Microsoft SmartScreen protections.

Pricing for FakeBat ranges from $1,000 (￡784) per week to $5,000 (￡3,920) per month, depending on the format and features. Sekoia detected multiple activity clusters spreading FakeBat through malicious Google ads, fake web browser updates, and social engineering on social networks, linked to groups like FIN7, Nitrogen, and BATLOADER.

FakeBat’s command-and-control servers filter traffic based on characteristics such as User-Agent, IP address, and location, enabling targeted malware distribution. This disclosure coincides with AhnLab’s findings on DBatLoader and Kroll’s discovery of Hijack Loader, both employing complex infection chains and heavy obfuscation to deliver various malware strains.

Phishing campaigns have also been distributing Remcos RAT, with the Eastern European group Unfurling Hemlock using loaders and emails to drop multiple malware strains simultaneously. The distributed malware often includes stealers like RedLine, RisePro, and Mystic Stealer, and loaders like Amadey and SmokeLoader.

TLDR;

• FakeBat, a prevalent loader malware in 2023, is distributed via drive-by downloads and used to deploy various payloads like IcedID and RedLine.
• It uses methods like SEO poisoning and fake software updates to trick users, and has evolved from MSI to MSIX format to bypass protections.
• Sold for $1,000 (￡784) per week to $5,000 (￡3,920), FakeBat is spread by groups like FIN7, using sophisticated techniques to target users and distribute malware like Remcos RAT and SmokeLoader.

New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data

Modern Intel CPUs, including Raptor Lake and Alder Lake, are vulnerable to a new side-channel attack called Indirector, which can leak sensitive information. Security researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen discovered that this attack exploits weaknesses in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB), bypassing current defences.

The IBP is a hardware component that predicts the target addresses of indirect branches, which are control flow instructions computed at runtime. Indirector identifies vulnerabilities in IBP to launch precise Branch Target Injection (BTI) attacks, known as Spectre v2 (CVE-2017-5715), allowing unauthorised disclosure of information via a side-channel.

The attack uses a custom tool called iBranch Locator to locate indirect branches, then performs precision IBP and BTP injections for speculative execution. Unlike Pathfinder, which targeted the Conditional Branch Predictor, Indirector attacks target predictors, making them more severe.

Indirector reverse engineers IBP and BTB to create high-resolution branch target injection attacks, hijacking control flow and leaking secrets. Intel, aware of these findings since February 2024, informed affected hardware and software vendors. Intel stated that existing mitigations like IBRS, eIBRS, and BHI are effective against Indirector, so no new mitigations are required.

Countermeasures include using the Indirect Branch Predictor Barrier (IBPB) more aggressively and hardening the Branch Prediction Unit (BPU) with complex tags, encryption, and randomisation.

Additionally, Arm CPUs are vulnerable to a speculative execution attack called TIKTAG, targeting the Memory Tagging Extension (MTE) to leak data with over 95% success in under four seconds. Researchers identified TikTag gadgets that bypass MTE’s probabilistic defences. Arm responded that MTE provides limited deterministic and probabilistic defenses but isn’t designed to fully counteract an interactive adversary capable of brute-forcing or crafting arbitrary Address Tags.

TLDR;

• Modern Intel CPUs, including Raptor Lake and Alder Lake, are vulnerable to the Indirector side-channel attack, which exploits weaknesses in the Indirect Branch Predictor (IBP) and Branch Target Buffer (BTB).
• Indirector uses Branch Target Injection (BTI) attacks, bypassing current defences to leak sensitive information, with existing mitigations like IBRS and eIBRS deemed effective by Intel.
• Arm CPUs are also vulnerable to a speculative execution attack called TIKTAG, which targets the Memory Tagging Extension (MTE) to leak data rapidly, with Arm acknowledging MTE's limited defences.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Martin Vondrous (SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup!