Last Updated on 29/11/2021 by Nidhi Khandelwal
Using a new PowerShell-based stealer dubbed PowerShortShell by security experts at SafeBreach Labs, a newly found Iranian threat actor is collecting Google and Instagram credentials belonging to Farsi-speaking targets all around the world.
The information stealer is also used for Telegram surveillance and gathering system information from infected machines, which is then transferred to attacker-controlled servers along with the stolen credentials.
They send malicious Winword attachments to Windows users that exploit a Microsoft MSHTML remote code execution (RCE) flaw identified as CVE-2021-40444.
A DLL obtained on compromised systems executes the PowerShortShell stealer payload. When the PowerShell script is run, it begins gathering data and screen photos, which it then sends to the attacker’s command-and-control server.
The CVE-2021-40444 RCE bug impacting IE’s MATHML rendering engine has been exploited in the wild as a zero-day starting with August 18, more than two weeks before Microsoft issued a security advisory with a partial workaround, and three weeks before a patch was released.
Most recently, it was exploited in conjunction with malicious advertisements by the Magniber ransomware gang to infect targets with malware and encrypt their devices.
Microsoft also said multiple threat actors, including ransomware affiliates, targeted this Windows MSHTML RCE bug using maliciously crafted Office documents delivered via phishing attacks.
Since threat actors began posting tutorials and proof-of-concept exploits on hacker forums even before the flaw was patched, it’s not surprise that more and more attackers are exploiting CVE-2021-40444 attacks.
Other threat actors and groups were likely able to use the security hole in their own assaults as a result of this.
The instructions provided online are straightforward, making it trivial for anyone to develop their own functioning CVE-2021-40444 attack, complete with a Python server that can transmit malicious documents and CAB files to infected devices.