Newly discovered Iranian actor steals Google and Instagram credentials belonging to Farsi-speaking targets around the world using a new PowerShell-based thief dubbed PowerShortShell by security researchers at SafeBreach Labs.
Information thief is also used for Telegram monitoring and collecting system information from compromised devices which is sent to servers controlled by attackers with the stolen credentials.
As SafeBreach Labs discovered, attacks (released in September on Twitter by the Shadow Chaser Group) began in July in the form of spear-phishing emails.
They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked like CVE-2021-40444.
The PowerShortShell thief payload is executed by a DLL downloaded on the compromised systems. Once launched, the PowerShell script begins collecting data and screenshots, exfiltrating them to the attacker’s command and control server.
“Almost half of the victims are in the United States. Based on the contents of the Microsoft Word document – which accuses the Iranian leader of the ‘Corona massacre’ and the nature of the data collected, we suspect that the victims could be Iranians living abroad and could be seen as a threat to the Iranian Islamic regime “, noted Tomer Bar, Director of Security Research at SafeBreach Labs.
“The adversary could be linked to the Iranian Islamic regime since the use of Telegram surveillance is typical of Iranian threat actors like Infy, Ferocious Kitten and Rampant Kitten.”
Bug CVE-2021-40444 RCE affecting IE’s MSTHML renderer was exploited in the wild as zero day starting August 18, more than two weeks before Microsoft issued a security advisory with a solution to partial workaround, and three weeks before a fix was released.
More recently, it has been exploited in conjunction with malicious advertisements by the Magniber ransomware gang to infect targets with malware and encrypt their devices.
Microsoft also said that several threat actors, including ransomware affiliates, targeted this Windows MSHTML RCE bug using maliciously crafted Office documents delivered via phishing attacks.
These attacks abused the CVE-2021-40444 vulnerability “as part of an initial access campaign that distributed custom Cobalt Strike Beacon chargers.”
The deployed beacons communicated with malicious infrastructure linked to several cybercrime campaigns, including, but not limited to, human-operated ransomware.
It’s no surprise that more and more attackers are using CVE-2021-40444 exploits since malicious actors started sharing tutorials and proof of concept exploits on hacking forums even before the bug. not be corrected.
This likely allowed other malicious actors and groups to start exploiting the security hole in their own attacks.
The information shared online is simple to follow and makes it easy for anyone to create their own working version of a CVE-2021-40444 exploit, including a Python server that can distribute malicious documents and CAB files to compromised systems.
Using this information, BleepingComputer could also successfully reproduce the exploit in about 15 minutes, as demonstrated in this video demo.
- Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws
- Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws
- Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws
- Windows bug MSHTML now exploited by ransomware gangs
- Zoom security issues: Everything that’s gone wrong (so far)