Cyber Security

Iranian Hackers Abusing Known Bug in Microsoft’s MSHTML

An Iranian threat actor is stealing Instagram and Google credentials of Farsi-speaking individuals around the world. The threat group is using a new PowerShell-based stealer, PowerShortShell, for this campaign.

What has happened?

PowerShortShell was used for Telegram surveillance and gathering system details from infected devices. The information is sent back to attacker-controlled servers.

  • The attacks started in July via spear-phishing emails that targeted Windows users with Winword attachments. They exploited a remote code execution flaw (CVE-2021-40444) in MSHTML that was disclosed months ago.
  • This flaw was exploited to gain initial access and deliver Cobalt Strike Beacon loaders.
  • The stealer payload is executed by a DLL downloaded on the infected systems. Once executed, the PowerShell script collects data and then sends it to the C2 server of attackers.

A connection to Iran

  • Based on the content of a malicious document, which blames Iran’s leader for the Corona massacre, and the nature of collected data, researchers arrived at an assumption that victims might be Iranians living abroad and are a threat to Iran’s regime.
  • Additionally, the attacker might be linked to Iran since Telegram surveillance is often performed by Iranian-based attackers such as Rampant Kitten, Infy, and Ferocious Kitten.

Who are they targeting?

Almost half of the victims are based in the U.S. (45.8%), followed by the Netherlands (12.5%), Russia (8.3%), Canada (8.3%), Germany (8.3%), India (4.2%), the U.K (4.2%), Korea (4.2%), and China (4.2%).

Conclusion

Cybercriminals are now actively using the exploiting CVE-2021-40444 vulnerability, which has impacted people across several continents. Therefore, exports recommend organizations implement a robust patch program and deploy reliable anti-malware solutions.

Source: https://cyware.com/news/iranian-hackers-abusing-known-bug-in-microsofts-mshtml-b3c4dbcc

Click to comment

You May Also Like

Cyber Security

It was a big year for cybersecurity in 2022 with massive cyberattacks and data breaches, innovative phishing attacks, privacy concerns, and of course, zero-day...

Cyber Security

A free unofficial patch has been released for an actively exploited zero-day that allows files signed with malformed signatures to bypass Mark-of-the-Web security warnings...

Cyber Security

Microsoft is developing a patch for two actively exploited zero-day vulnerabilities in Microsoft Exchange Server. The flaws, tracked as CVE-2022-41040 and CVE-2022-41082, were discovered in Microsoft’s enterprise...

Cyber Security

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. MS-SQL servers are database management systems holding...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version