Home > Attacks & Data Breaches > Hackers Exploit a Microsoft MSHTML Flaw to Obtain Google and Instagram Credentials

Hackers Exploit a Microsoft MSHTML Flaw to Obtain Google and Instagram Credentials

November 25, 2021
CIM Team

Using a novel PowerShell-based stealer called PowerShortShell by security experts at SafeBreach Labs, a newly found Iranian threat actor is collecting Google and Instagram credentials belonging to Farsi-speaking targets worldwide. The information stealer has also been used for Telegram surveillance and gathering system information from infected devices, which is then transferred to attacker-controlled sites and data theft.

The cyberattacks (Shadow Chaser Group revealed it publicly in September on Twitter) began in July as spear-phishing emails. They send malicious WinWord attachments to Windows users that abuse a Microsoft MSHTML remote code execution (RCE) flaw identified as CVE-2021-40444.

A DLL obtained on infected computers executes the PowerShortShell stealer payload. When the PowerShell script is run, it begins gathering data and screen photos, then sends them to the attacker’s command-and-control server.

The US accounts for about half of the victims. Tomer Bar of SafeBreach Labs said that based on the contents of the Microsoft Word document, we believe the victims are Iranians living abroad who pose a threat to Iran’s Islamic regime. The opponent might be linked to Iran’s Islamic dictatorship because Telegram surveillance is common among Iran’s threat actors, such as Infy, Ferocious Kitten, and Rampant Kitten.

According to Microsoft, multiple threat actors, including ransomware associates, used maliciously generated Office documents supplied via phishing campaigns to target the Windows MSHTML RCE vulnerability. As part of an early access effort that delivered modified Cobalt Strike Beacon loaders, these attacks exploited the CVE-2021-40444 vulnerability.

The installed beacons communicated with malicious equipment linked to various cybercrime schemes, including but not limited to ransomware that humans administer. Since threat actors began posting tutorials and proof-of-concept exploits on hacker forums even before the flaw was patched, it’s no surprise that more and more attackers are exploiting CVE-2021-40444 attacks.

About the author

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others

Hackers Exploit a Microsoft MSHTML Flaw to Obtain Google and Instagram Credentials

About the author

CIM Team

Share:

Related ARTICLES

CaTEGORIES

Quick Nav

Hackers Exploit a Microsoft MSHTML Flaw to Obtain Google and Instagram Credentials

About the author

CIM Team

Share:

Related ARTICLES

Weekly Cyber Threat Report, May 22-26, 2023

Devastating DDoS Attacks Launched Against Gaming Industry by Dark Frost Botnet

Israeli Logistics Sector Attacked by Iranian Tortoiseshell Hackers

GoldenJackal: New Threat Gang Attacking South Asian And Middle Eastern Governments

CaTEGORIES

Quick Nav