A new Iranian threat actor has been discovered exploiting a now-resolved critical flaw in the Microsoft Windows platform MSHTML to target Farsi-speaking victims with a new PowerShell-based information thief designed to harvest extensive details about them. infected machines.
“[T]The Thief is an abbreviated PowerShell script with powerful collection capabilities – in just about 150 lines it provides the adversary with a lot of critical information including screenshots, Telegram files, document collection, and data. comprehensive on the victim’s environment, ”SafeBreach Labs researcher Tomer Bar said in a report released Wednesday.
Nearly half of the targets come from the United States, with the cybersecurity firm noting that the attacks likely target “Iranians who live abroad and could be seen as a threat to the Iranian Islamic regime.”
The phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents. The vulnerability was patched by Microsoft in September 2021, weeks after reports of active exploitation emerged in the wild.
“An attacker could create a malicious ActiveX control for use by a Microsoft Office document that hosts the browser rendering engine. The attacker should then convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrator rights, ”noted the manufacturer of Windows.
The attack sequence described by SafeBreach begins with the targets receiving a spear-phishing email with a Word document attached. Opening the file triggers the exploit for CVE-2021-40444, causing the execution of a PowerShell script nicknamed “PowerShortShell” capable of hovering over sensitive information and passing it to a command and control (C2) server .
While infections involving the deployment of the information thief were observed on September 15, a day after Microsoft released fixes for the flaw, the aforementioned C2 server was also used to collect Gmail and Instagram credentials. victims of two phishing campaigns organized by the same adversary in July 2021.
The development is the latest in a series of attacks that capitalized on the flaw in the MSTHML rendering engine, with Microsoft previously disclosing a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon chargers.