Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

An Iranian threat actor is stealing Google and Instagram credentials of Farsi-speaking targets by exploiting a Microsoft MSHTML bug.

Researchers from SafeBreach Labs spotted a new Iranian threat actor that is using an exploit for a Microsoft MSHTML Remote Code Execution (RCE) flaw in attacks aimed at Farsi-speaking victims. The exploit is used to install a PowerShell stealer, tracked by the researchers as PowerShortShell, that steals Google and Instagram credentials of the victims.

The campaign was first spotted in mid-September 2021 by ShadowChasing.

hi threat
why did you use it
ITW:858404225565c80972ba66d2c612e49f
filename:جنایات خامنه ای.docx
URL:
hxxp://hr.dedyn.io/word.html
hxxp://hr.dedyn.io/word.cab
hxxp://hr.dedyn.io/1.ps1
hxxp://hr.dedyn.io/upload.aspx?fn=
hxxp://hr.dedyn.io/upload2.aspx pic.twitter.com/fHsgAshCNc

— Shadow Chaser Group (@ShadowChasing1) September 15, 2021

The PowerShortShell stealer is also used for Telegram surveillance and gathering system information from infected systems.

“SafeBreach Labs analyzed the full attack chain, discovered new phishing attacks which started in July this year and achieved the last and most interesting piece of the puzzle – the PowerShell Stealer code – which we named PowerShortShell.” reads the analysis published by SafeBreach Labs. “The reason we

Read the article