Rewterz Threat Alert – BazarLoader Malware – Active IOCs
November 25, 2021Rewterz Threat Alert – Thanos Ransomware – Active IOCs
November 25, 2021Severity
Medium
Analysis Summary
The MSHTML bug is being used by a newly discovered Iranian APT group that steals Google and Instagram credentials using a new PowerShell-based stealer named “PowerShortShell”. The targets and Farsi-Speakers worldwide.
Another use for the infostealer is to collect system information and Telegram Surveillance from compromised devices sent to attacker-controlled servers together with the stolen credentials.
The attacks started in September as spear-phishing email campaigns as the attacker sent out windows users malicious Winword attachments that exploit the Microsoft MSHTML RCE bug.
The PowerShortShell stealer payload is executed by a DLL downloaded on compromised systems. Once launched, the PowerShell script starts collecting data and screen snapshots, exfiltrating it to the attacker’s command-and-control server.
“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten.”
“Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime,” said Tomer Bar.
CVE-2021-40444
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact
- Remote Code Execution
- Information Theft
- Cyber Espionage
Affected Vendors
Microsoft
Affected Products
- MSHTML
Indicators of Compromise
Filename
- docx[.]جنایات خامنه ای
MD5
- 858404225565c80972ba66d2c612e49f
SHA-256
- d793193c2d0c31bc23639725b097a6a0ffbe9f60a46eabfe0128e006f0492a08
SHA-1
- a448f215d5b0b388e63166b158e3389eaf38b97c
URL
- http[:]//hr[.]dedyn[.]io/word[.]html
- http[:]//hr[.]dedyn[.]io/word[.]cab
- http[:]//hr[.]dedyn[.]io/1[.]ps1
- http[:]//hr[.]dedyn[.]io/upload2[.]aspx
Remediation
- Users are advised to use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft
- Security Update Guide to search for available patches.
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.