Using a novel PowerShell-based stealer called PowerShortShell by security experts at SafeBreach Labs, a newly found Iranian threat actor is collecting Google and Instagram credentials belonging to Farsi-speaking targets worldwide. The information stealer has also been used for Telegram surveillance and gathering system information from infected devices, which is then transferred to attacker-controlled sites and data theft.
The cyberattacks (Shadow Chaser Group revealed it publicly in September on Twitter) began in July as spear-phishing emails. They send malicious WinWord attachments to Windows users that abuse a Microsoft MSHTML remote code execution (RCE) flaw identified as CVE-2021-40444.
A DLL obtained on infected computers executes the PowerShortShell stealer payload. When the PowerShell script is run, it begins gathering data and screen photos, then sends them to the attacker’s command-and-control server.
The US accounts for about half of the victims. Tomer Bar of SafeBreach Labs said that based on the contents of the Microsoft Word document, we believe the victims are Iranians living abroad who pose a threat to Iran’s Islamic regime. The opponent might be linked to Iran’s Islamic dictatorship because Telegram surveillance is common among Iran’s threat actors, such as Infy, Ferocious Kitten, and Rampant Kitten.
According to Microsoft, multiple threat actors, including ransomware associates, used maliciously generated Office documents supplied via phishing campaigns to target the Windows MSHTML RCE vulnerability. As part of an early access effort that delivered modified Cobalt Strike Beacon loaders, these attacks exploited the CVE-2021-40444 vulnerability.
The installed beacons communicated with malicious equipment linked to various cybercrime schemes, including but not limited to ransomware that humans administer. Since threat actors began posting tutorials and proof-of-concept exploits on hacker forums even before the flaw was patched, it’s no surprise that more and more attackers are exploiting CVE-2021-40444 attacks.