An Iranian threat actor is stealing Instagram and Google credentials of Farsi-speaking individuals around the world. The threat group is using a new PowerShell-based stealer, PowerShortShell, for this campaign.
What has happened?
PowerShortShell was used for Telegram surveillance and gathering system details from infected devices. The information is sent back to attacker-controlled servers.
- The attacks started in July via spear-phishing emails that targeted Windows users with Winword attachments. They exploited a remote code execution flaw (CVE-2021-40444) in MSHTML that was disclosed months ago.
- This flaw was exploited to gain initial access and deliver Cobalt Strike Beacon loaders.
- The stealer payload is executed by a DLL downloaded on the infected systems. Once executed, the PowerShell script collects data and then sends it to the C2 server of attackers.
A connection to Iran
- Based on the content of a malicious document, which blames Iran’s leader for the Corona massacre, and the nature of collected data, researchers arrived at an assumption that victims might be Iranians living abroad and are a threat to Iran’s regime.
- Additionally, the attacker might be linked to Iran since Telegram surveillance is often performed by Iranian-based attackers such as Rampant Kitten, Infy, and Ferocious Kitten.
Who are they targeting?
Almost half of the victims are based in the U.S. (45.8%), followed by the Netherlands (12.5%), Russia (8.3%), Canada (8.3%), Germany (8.3%), India (4.2%), the U.K (4.2%), Korea (4.2%), and China (4.2%).
Conclusion
Cybercriminals are now actively using the exploiting CVE-2021-40444 vulnerability, which has impacted people across several continents. Therefore, exports recommend organizations implement a robust patch program and deploy reliable anti-malware solutions.
Source: https://cyware.com/news/iranian-hackers-abusing-known-bug-in-microsofts-mshtml-b3c4dbcc
