The Iranian cybercriminals are deploying a new PowerShell-based stealer called PowerShortShell to steal Google and Instagram credentials from Farsi Speaking targeted audience worldwide.
The info stealer also collects system data from compromised devices and sends it to attacker-controlled servers with the stolen credentials. The attacks began in July, according to SafeBreach Labs, as spear-phishing emails. They exploit a Microsoft MSHTML remote code execution (RCE) vulnerability identified as CVE-2021-40444 to attack Windows users.
A hacked system’s DLL runs the PowerShortShell stealer payload. The PowerShell script collects data and screen captures and sends them to the attacker’s command-and-control server.
“Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime,” said Tomer Bar, Director of Security Research at SafeBreach Labs.
“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten.”
More than two weeks went by before Microsoft issued a security advisory and three weeks passed before a patch for the CVE-2021-40444 RCE flaw in IE’s MSTHML rendering engine was released in the wild on August 18.
The Magniber ransomware gang recently used it to infiltrate and encrypt users’ devices using malicious advertising. Microsoft claimed several threat actors, including ransomware associates, targeted this Windows MSHTML RCE flaw via phishing emails.
These attacks leveraged the CVE-2021-40444 bug “as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders”
Some of the beacons communicated with malicious equipment associated with human-operated ransomware.
Although it may come as a surprise to some, the threat actors who first shared exploits for CVE-2021-40444 on hacking forums have been employing them ever since.
As a result, the security issue was likely exploited by a wider range of attackers and groups.
The online information is straightforward to follow and allows anyone to develop a working version of a CVE-2021-40444 exploit, which includes a Python server that can transmit malicious documents and CAB files to vulnerable systems.