Happy Wednesday everyone!

Today's #readoftheday comes from Fortinet Labs researchers who documented an attacked that was using the spyware #MerkSpy. CVE-2021-40444, a remote code execution vulnerability in MSHTML that affects Microsoft Windows [2]. Like most spyware, it has the capabilities to capture screenshots, log keystrokes, and access the MetaMast extension (an extension designed to allow users to buy/sell crypto). Check out the full article for all the amazing technical details, this is just a small summary!

Threat Hunting Tips:
This spyware gains persistence (TA0003) by using the age-old technique of abusing the functions of the Windows Registry Run key (T1547.001 - Boot or Logon Autostart Execution - Registry Run Keys/Startup Folder). This registry key (*\Software\Microsoft\Windows\CurrentVersion\Run) has the capability to start anything that is stored in the key to execute/start on startup. This could be helpful if there is an application that someone uses every day OR it could be helpful for the adversary to get repeatable access to a victims machine! Either way, this is a location that I would keep my eye on! Enjoy and Happy Hunting!

MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems
https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-40444-to-infiltrate-systems

Additional resources:
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting #Intel471