Security experts from SafeBreach Labs identified a new Iranian threat actor group exploiting a Microsoft MSHTML Remote Code Execution (RCE) flaw – CVE-2021-40444. The group reportedly used a new PowerShell stealer code, dubbed PowerShortShell, to target social media accounts of Farsi-speaking users since mid-September 2021.
SafeBreach Labs researchers stated the threat actor group leveraged spear-phishing emails to distribute PowerShortShell script across the targeted devices. PowerShortShell provided the hackers access to critical data, including screen captures, telegram files, document collection, and extensive data about the victim’s environment. While the operators behind the PowerShortShell campaign are unknown, the researchers stated the group might be linked to Iran’s Islamic regime.
“Based on the Microsoft Word document content, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime. The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits for the infection is unique to Iranian threat actors, which heavily rely on social engineering tricks,” the researchers said.
Also Read: Microsoft Identifies Six Iranian State Actor Groups Deploying Ransomware
The researchers found two phishing campaigns intended to harvest credentials for Gmail and Instagram using the C2 server – Deltaban[.]dedyn[.]io – a phishing HTML page masquerading as the legit deltaban.com travel agency.
While the exact victims of PowerShortShell are unknown, the number of reported victims include the U.S. (45.8%), followed by the Netherlands (12.5%), Russia (8.3%), Canada (8.3%), Germany (8.3%), China (4.2%), and India (4.2%).
The post Iranian Threat Actors Leverage PowerShortShell to Exploit Microsoft Flaw appeared first on CISO MAG | Cyber Security Magazine.
Click to Open Code Editor