A new infostealer is circulating on the web, seizing Google and Instagram credentials and monitoring victims’ Telegram correspondence, cyber researchers say.
As reported by Bleeding computer, security researchers from SafeBreach Labs have recently discovered a new Iranian threat player that has targeted the farcical-speaking community worldwide with the new malware.
The malware is a PowerShell-based thief called PowerShortSell. It utilizes a Microsoft MSHTML remote code execution (RCE) error, traced under the ticker CVE-2021-40444. To infect a device, the attacker must first perform a spear-phishing attack by sending a Microsoft Word attachment that can execute a DLL downloaded by running the malicious file.
When the downloaded DLL launches PowerShortSell, the malware begins collecting data, stealing passwords, taking screenshots, and sending all data to the attacker’s command-and-control server.
Targeting the establishment’s enemies
According to Tomer Bar, director of security research at SafeBreach Labs, the targets appear to be “Iranians living abroad and could be seen as a threat to Iran’s Islamic regime”. Bar came to this conclusion after analyzing the contents of the Word document that was sent out in connection with the phishing attack, in which Iran’s leaders are blamed for a “Corona massacre”.
“The adversary may be tied to Iran’s Islamic regime, as the use of Telegram surveillance is typical of Iran’s threatening actors such as Infy, Ferocious Kitten and Rampant Kitten,” he added.
Almost half of all victims (45.8%) live in the United States, while the rest are in the Netherlands (12.5%), Russia, Germany and Canada (8.3%).
CVE-2021-40444 RCE bug affecting Internet Explorer’s MSTHML rendering engine was fixed in mid-September this year. It was first seen in the wild three weeks before, as the Iranians were not the only group abusing the discovered vulnerability.
In fact, threat actors shared tutorials and proof-of-concepts on hacking forums, long before Microsoft managed to patch it, notes Bleeping Computer.
You may also want to check out our list best security keys out there