A newly discovered Iranian threat actor is stealing Google and Instagram credentials using a exploit for a Microsoft MSHTML Remote Code Execution flaw.
- Researchers from SafeBreach Labs spotted a new Iranian threat actor aimed at Farsi-speaking victims.
- The campaign was first spotted in mid-September 2021 by ShadowChasing.
A newly discovered Iranian threat actor is stealing Google and Instagram credentials using a exploit for a Microsoft MSHTML Remote Code Execution flaw.
SafeBreach Labs discovered the attacks (publicly reported in September on Twitter by the Shadow Chaser Group) started in July as spear-phishing emails.
The campaign targets Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked as CVE-2021-40444.
“Almost half of the victims are located in the United States. Based on the Microsoft Word document content - which blames Iran’s leader for the 'Corona massacre' and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran's Islamic regime," said Tomer Bar, Director of Security Research at SafeBreach Labs.
“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran's threat actors like Infy, Ferocious Kitten, and Rampant Kitten."
The PowerShortShell gathers data and exfiltrates it to a C2 server under the control of the attacker.
“In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders,” states the post announced by Microsoft.
“These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.”
MSTIC researchers tracked a large cluster of malicious activity involving Cobalt Strike infrastructure under the name DEV-0365, which has multiple similarities with another Cobalt Strike infrastructure that suggests a third-party threat actor managed it.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?