Pierluigi Paganini
November 25, 2021
Researchers from SafeBreach Labs spotted a new Iranian threat actor that is using an exploit for a Microsoft MSHTML Remote Code Execution (RCE) flaw in attacks aimed at Farsi-speaking victims. The exploit is used to install a PowerShell stealer, tracked by the researchers as PowerShortShell, that steals Google and Instagram credentials of the victims.
The campaign was first spotted in mid-September 2021 by ShadowChasing.
The PowerShortShell stealer is also used for Telegram surveillance and gathering system information from infected systems.
“SafeBreach Labs analyzed the full attack chain, discovered new phishing attacks which started in July this year and achieved the last and most interesting piece of the puzzle – the PowerShell Stealer code – which we named PowerShortShell.” reads the analysis published by SafeBreach Labs. “The reason we chose this name is due to the fact that the stealer is a PowerShell script, short with powerful collection capabilities – in only ~150 lines, it provides the adversary a lot of critical information including screen captures, telegram files, document collection, and extensive data about the victim’s environment.”
The campaign targets Windows users, the attack chain starts with spear-phishing emails using malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) flaw tracked as CVE-2021-40444.
Most of the victims are located in the United States, threat actors use the “Corona massacre” lure, a circumstance that confirmed the attackers are targeting Iranians who live abroad. Upon opening the document a DLL is dropped on the target system, then it is used to execute the PowerShortShell stealer payload.
The PowerShortShell collects data and exfiltrates it to a C2 server under the control of the attacker.
“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits for the infection is quite unique to Iranian threat actors which in most cases heavily rely on social engineering tricks.” continues the experts.
In mid-September, Microsoft reported that multiple threat actors, including ransomware operators, were exploiting the recently patched Windows MSHTML remote code execution security flaw (CVE-2021-40444) in attacks against organizations. The IT giant said that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, the attackers used weaponized Office documents. The campaigns observed August 2021 likely employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites.
“In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.” reads the post published by Microsoft. “These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.”
Experts noticed that loaders employed in the attacks connected with the C2 infrastructure connected with several cybercrime campaigns, including ransomware operators.
MSTIC researchers tracked a large cluster of malicious activity involving Cobalt Strike infrastructure under the name DEV-0365, which has many similarities with another Cobalt Strike infrastructure that suggests it was managed by a third-party threat actor.
Experts pointed out that the availability of information about the CVE-2021-40444 issue shared online allowed threat actors to create their own exploit
The report published by SafeBreach also includes indicators of compromise for the attacks orchestrated by the Iranian threat actors.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, MSHTML)
[adrotate banner=”5″]
[adrotate banner=”13″]
