Business

Iranian Hackers Abusing Known Bug in Microsoft’s MSHTML

Published

on

An Iranian threat actor is stealing Instagram and Google credentials of Farsi-speaking individuals around the world. The threat group is using a new PowerShell-based stealer, PowerShortShell, for this campaign.

What has happened?

PowerShortShell was used for Telegram surveillance and gathering system details from infected devices. The information is sent back to attacker-controlled servers.

  • The attacks started in July via spear-phishing emails that targeted Windows users with Winword attachments. They exploited a remote code execution flaw (CVE-2021-40444) in MSHTML that was disclosed months ago.
  • This flaw was exploited to gain initial access and deliver Cobalt Strike Beacon loaders.
  • The stealer payload is executed by a DLL downloaded on the infected systems. Once executed, the PowerShell script collects data and then sends it to the C2 server of attackers.

A connection to Iran

  • Based on the content of a malicious document, which blames Iran’s leader for the Corona massacre, and the nature of collected data, researchers arrived at an assumption that victims might be Iranians living abroad and are a threat to Iran’s regime.
  • Additionally, the attacker might be linked to Iran since Telegram surveillance is often performed by Iranian-based attackers such as Rampant Kitten, Infy, and Ferocious Kitten.

Who are they targeting?

Almost half of the victims are based in the U.S. (45.8%), followed by the Netherlands (12.5%), Russia (8.3%), Canada (8.3%), Germany (8.3%), India (4.2%), the U.K (4.2%), Korea (4.2%), and China (4.2%).

Conclusion

Cybercriminals are now actively using the exploiting CVE-2021-40444 vulnerability, which has impacted people across several continents. Therefore, exports recommend organizations implement a robust patch program and deploy reliable anti-malware solutions.

Source: https://cyware.com/news/iranian-hackers-abusing-known-bug-in-microsofts-mshtml-b3c4dbcc

Click to comment
Exit mobile version