Last Updated on 25/11/2021 by Sunaina
A new Iranian threat actor has been discovered exploiting a now-fixed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a new PowerShell-based information stealer designed to harvest extensive information from infected machines.
“[T]he stealer is a PowerShell script with powerful collection capabilities — in only 150 lines, it provides the adversary with a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim’s environment,” SafeBreach Labs researcher Tomer Bar wrote in a report published Wednesday.
Nearly half of the targets are from the United States, with the cybersecurity firm speculating that the attacks are likely aimed at “Iranians living abroad who may be seen as a threat to Iran’s Islamic regime.”
The phishing campaign, which began in July 2021, made use of CVE-2021-40444, a remote code execution flaw that could be exploited through specially crafted Microsoft Office documents. Microsoft patched the vulnerability in September 2021, weeks after reports of active exploitation surfaced in the wild.
According to SafeBreach, the attack sequence begins with the targets receiving a spear-phishing email with a Word document attached. The exploit for CVE-2021-40444 is triggered by opening the file, resulting in the execution of a PowerShell script dubbed “PowerShortShell,” which is capable of collecting sensitive information and transmitting it to a command-and-control (C2) server.
The discovery is the latest in a series of attacks that have exploited the MSTHML rendering engine flaw, with Microsoft previously disclosing a targeted phishing campaign that exploited the flaw as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.