430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials

An Iranian threat actor is stealing Google and Instagram credentials of Farsi-speaking targets by exploiting a Microsoft MSHTML bug. Researchers from SafeBreach Labs have identified a new Iranian threat actor that is exploiting a Microsoft MSHTML Remote Code Execution (RCE) vulnerability in attacks targeting Farsi-speaking victims. The exploit is used to install a PowerShell stealer, […]

mshtml attack Iran

An Iranian threat actor is stealing Google and Instagram credentials of Farsi-speaking targets by exploiting a Microsoft MSHTML bug.

Researchers from SafeBreach Labs have identified a new Iranian threat actor that is exploiting a Microsoft MSHTML Remote Code Execution (RCE) vulnerability in attacks targeting Farsi-speaking victims. The exploit is used to install a PowerShell stealer, tracked by the researchers as PowerShortShell, that steals Google and Instagram credentials of the victims.

The campaign was first spotted in mid-September 2021 by ShadowChasing.

The PowerShortShell stealer is also used for Telegram surveillance and gathering system information from infected systems.

“SafeBreach Labs analyzed the full attack chain, discovered new phishing attacks which started in July this year and achieved the last and most interesting piece of the puzzle – the PowerShell Stealer code – which we named PowerShortShell.” reads the analysis published by SafeBreach Labs. “The reason we chose this name is due to the fact that the stealer is a PowerShell script, short with powerful collection capabilities – in only ~150 lines, it provides the adversary a lot of critical information including screen captures, telegram files, document collection, and extensive data about the victim’s environment.”

The campaign targets Windows users; the attack chain starts with spear-phishing emails using malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) flaw tracked as CVE-2021-40444.

Most of the victims are located in the United States, and threat actors use the “Corona massacre” lure, a circumstance that confirms the attackers are targeting Iranians who live abroad. Upon opening the document, a DLL is dropped on the target system, and then it is used to execute the PowerShortShell stealer payload.

The PowerShortShell collects data and exfiltrates it to a C2 server under the control of the attacker.

“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits for the infection is quite unique to Iranian threat actors which in most cases heavily rely on social engineering tricks.” continues the experts.

In mid-September, Microsoft reported that multiple threat actors, including ransomware operators, were exploiting the recently patched Windows MSHTML remote code execution security flaw (CVE-2021-40444) in attacks against organizations. The IT giant said that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, the attackers used weaponized Office documents. The campaigns observed in August 2021 likely employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites. 

“In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.” reads the post published by Microsoft. “These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.”

Experts noticed that loaders employed in the attacks connected with the C2 infrastructure connected with several cybercrime campaigns, including ransomware operators.

cve-2021-40444 attacks

MSTIC researchers tracked a large cluster of malicious activity involving Cobalt Strike infrastructure under the name DEV-0365, which has many similarities with another Cobalt Strike infrastructure that suggests it was managed by a third-party threat actor. 

Experts pointed out that the availability of information about the CVE-2021-40444 issue shared online allowed threat actors to create their own exploit

The report published by SafeBreach also includes indicators of compromise for the attacks orchestrated by the Iranian threat actors.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MSHTML)