A newly discovered Iranian threat actor is stealing Google and Instagram credentials using a exploit for a Microsoft MSHTML Remote Code Execution flaw.
SafeBreach Labs discovered the attacks (publicly reported in September on Twitter by the Shadow Chaser Group) started in July as spear-phishing emails.
The campaign targets Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked as CVE-2021-40444.
“Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime,” said Tomer Bar, Director of Security Research at SafeBreach Labs.
“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage
Read the article