Known Bug Being Abused by Iranian Hackers Found in Microsoft's MSHTML

Garima Kejriwal

November 29, 2021

Instagram and Google credentials of Farsi-speaking individuals around the world are being stolen by an Iranian threat actor. The threat group is using a new PowerShell-based stealer, PowerShortShell, for this campaign. PowerShortShell is used for Telegram surveillance and gathering system details from infected devices. Attacker-controlled servers work with this information. Almost half of the victims are based in the United States of America, followed by the Netherlands, Russia, Canada, Germany, India, the U.K, Korea, and China. These attacks aren't something new. They started in July via spear-phishing emails that targeted Windows users with WinWord attachments. They exploited a remote code execution flaw (CVE-2021-40444) in MSHTML that was disclosed months ago. This flaw was exploited to gain initial access and deliver Cobalt Strike Beacon loaders. A DLL executes the stealer payload downloaded on the infected systems. Once implemented, the PowerShell script collects data and then sends it to the C2 server of attackers. Cybercriminals are now actively using the exploiting CVE-2021-40444 vulnerability, which has impacted people across several continents. Therefore, exports recommend organisations implement a robust patch program and deploy reliable anti-malware solutions.

Abridged fromCyWare