11.7 C
Tuesday, November 30, 2021

Hackers Exploit Microsoft MSHTML Bug to Steal Google and Instagram Credits

- Advertisement -

A newly discovered Iranian threat actor is stealing Google and Instagram credentials belonging to Farsi-speaking targets around the world using a new PowerShell-based thief called PowerShortShell by security researchers at SafeBreach Labs.

The information thief is also used for Telegram surveillance and the collection of system information from compromised devices that are sent to servers controlled by attackers along with the stolen credentials.

As SafeBreach Labs discovered, attacks (publicly reported in September on Twitter by Shadow Chaser Group) started in July as spear-phishing emails.

They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML Remote Code Execution Error (RCE) logged as CVE-2021-40444.

The PowerShortShell thief payload is run by a downloaded DLL on compromised systems. Once launched, the PowerShell script begins collecting data and screen snapshots, exfiltrating them to the attacker’s command and control server.

“Almost half of the victims are in the United States. Based on the content of the Microsoft Word document, which blames the leader of Iran for the ‘Corona massacre’ and the nature of the data collected, we assume that the victims could be Iranians living abroad and could be seen as a threat to the Islamic regime in Iran “, said Tomer Bar, director of safety research at SafeBreach Labs.

“The adversary could be linked to the Islamic regime in Iran, as Telegram’s use of surveillance is typical of Iranian threat actors like Infy, Ferocious Kitten and Rampant Kitten.”

Victim heat map
Victim Heat Map (SafeBreach Labs)

The CVE-2021-40444 RCE bug affecting IE’s MSTHML rendering engine has been exploited in the wild as a zero-day as of August 18, more than two weeks before Microsoft issued a security advisory. with a partial solutionand three weeks before a patch was released.

More recently, it was exploited alongside malicious advertisements. by the Magniber ransomware gang to infect targets with malware and encrypt their devices.

Microsoft also said that multiple threat actorsincluding ransomware affiliates targeted this Windows MSHTML RCE bug using maliciously crafted Office documents delivered via phishing attacks.

These attacks abused the CVE-2021-40444 flaw “as part of an initial access campaign that distributed custom Cobalt Strike Beacon chargers.”

The deployed beacons communicated with malicious infrastructure connected with various cybercrime campaigns, including but not limited to human-operated ransomware.

Chain of Attack CVE-2021-40444 (Microsoft)

Not surprisingly, more and more attackers are using CVE-2021-40444 exploits since threat actors started sharing tutorials and proof-of-concept exploits on hacking forums even before the bug was fixed.

This likely allowed other actors and threat groups to start exploiting the security flaw in their own attacks.

Information shared online is easy to follow and makes it easy for anyone to create their own working version of a CVE-2021-40444 exploit, including a Python server that can distribute malicious documents and CAB files to compromised systems.

With this information, Bleeping Computer could also successfully reproduce the exploit in about 15 minutes, as demonstrated in this demo video.

- Advertisement -
Latest news
- Advertisement -
Related news
- Advertisement -


Please enter your comment!
Please enter your name here