A new infostealer is circling the web, grabbing credentials from Google and Instagram and tracking victims’ Telegram correspondence, cyber researchers say.
As reported by beeping computer, security researchers at SafeBreach Labs recently discovered a new Iranian threat actor, which has targeted the Farsi-speaking community around the world with the new malware.
The malware is a PowerShell-based stealer called PowerShortSell. It uses a Microsoft MSHTML Remote Code Execution (RCE) bug, maintained under the ticker CVE-2021-40444. To infect a device, the attacker must first perform a spear-phishing attack by sending a Microsoft Word attachment that can execute a DLL downloaded by executing the malicious file.
Once the downloaded DLL starts PowerShortSell, the malware starts collecting data, stealing passwords, taking screenshots and sending all data to the attacker’s command-and-control server.
Tackle enemies of the establishment
According to Tomer Bar, director of security research at SafeBreach Labs, the targets “appear to be Iranians living abroad who may be perceived as a threat to Iran’s Islamic regime”. Bar came to this conclusion after analyzing the contents of the Word document sent in response to the phishing attack, which blames Iran’s leaders for a “Corona massacre.”
“The adversary may be linked to Iran’s Islamic regime as the use of Telegram surveillance is typical of Iranian threat actors such as Infy, Ferocious Kitten and Rampant Kitten,” he added.
Almost half of all victims (45.8%) live in the United States, the rest are in the Netherlands (12.5%), Russia, Germany and Canada (8.3%).
CVE-2021-40444 RCE bug, which affects Internet Explorer’s MSTHML rendering engine, was patched in mid-September this year. It was first spotted in the wild three weeks earlier, as the Iranians weren’t the only group taking advantage of the discovered vulnerability.
Threat actors even shared tutorials and proof-of-concepts on hacking forums long before Microsoft managed to patch it up, Bleeping Computer finds.
You may also like our list of the best security keys Outside