The attacks started in July 2021 in which threat actors exploited Microsoft MSHTML vulnerability to target overseas Iranians.
SafeBreach Labs researchers discovered a new Iranian threat actor trying to steal Instagram and Google (Gmail) login credentials of Farsi-speakers globally. The threat actor is using a new PowerShell-based stealer dubbed PowerShortShell by SafeBreach Labs.
The attacks were initially reported in September by the Shadow Chase Group in a Twitter post. According to the group, a critical flaw in the Microsoft MSHTML platform was being exploited to launch different types of cyberattacks.
What is PowerShortShell?
PowerShortShell is an information stealer, but it can also collect system information from infected devices (which is transmitted to the attacker along with the stolen credentials beforehand) and perform Telegram surveillance.
Reportedly, the stealer is named so because it is a PowerShell script that’s short but has powerful “collection capabilities,” researchers noted. It provides the attacker with plenty of sensitive information within just 150 lines, including screen capture, document collection, Telegram files, and extensive details about the victims’ surroundings.
About the Phishing Campaign
According to SafeBreach Labs’ researcher Tomer Bar, the attacks started in July, and users were targeted through a spear-phishing email. Around half of the targets are in the US, but it is also noticed that the primary focus of the attacker is overseas Iranians as they “be seen as a threat to Iran’s Islamic regime,” Bar explained.
The campaign involved exploiting the CVE-2021-40444 remote code execution flaw. This flaw could be exploited using specially designed MS Office documents.
Microsoft patched the flaw in Sep 2021.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft noted in its advisory following the patch.
However, infections using the info stealer PowershortShell were discovered just one day after Microsoft patched the bug on 15 September.
How does it Steal Credentials?
SafeBreach Labs explained that the targets receive a spear-phishing email containing a Word file as an attachment. When the recipient opens this file, the exploit for the Microsoft MSHTML bug gets triggered, and the PowerShortShell script is executed as a result.
This script then steals the sensitive device and user data and sends it to an attacker-controlled C2 server. The C2 server harvested the Gmail and Instagram credentials of the victim.
Furthermore, two phishing campaigns were identified, both were staged by the same adversary.
“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten,” Bar noted.
This campaign is the latest in a series of attacks capitalizing on the Microsoft MSHTML bug. In our previous coverage, the Malwarebytes Intelligence team discovered that the Microsoft MSHTML vulnerability was used by threat actors targeting Russian government institutions. This campaign also involved sending phishing email attachments.