Security researchers discovered a vulnerability in the Microsoft Windows MSHTML platform exploited by Iranian threat actors to target fellow Iranian victims using a new PowerShell-based information stealer engineered to collect massive data from the infected devices.
From a report, the stealer was described as a PowerShell script that has concise and powerful collection capabilities; with only ~150 lines that can deliver several critical data to threat actors, such as document collection, Telegram files, screenshots, and a wide range of data related to the victim’s environment.
In addition, the attack is said to have been targeting Iranians living overseas, with nearly half of them residing in the US. The threat actors also see these targets as threats to the Islamic regime of Iran.
The remote code execution vulnerability CVE-2021-40444 found in July 2021 was involved in the phishing campaign, wherein threat actors leveraged using specially engineered Microsoft Office documents. Nonetheless, the vulnerability was patched immediately around September 2021, just a few weeks after the vulnerability’s active exploitation.
Microsoft explained that threat actors could create a malicious ActiveX control that a Microsoft Office document can use to host the browser rendering engine. Then, victims will be persuaded to open the malicious document. Those with accounts set to have fewer user system privileges could be affected much less than those operating with high-level administrative user privileges.
Threat actors exploit the MSHTML vulnerability upon victims opening the Microsoft Word file attached to a spear-phishing email they received from the attackers.
The attack begins upon threat actors sending targeted victims spear-phishing emails attached with a malicious Microsoft Word file which triggers the exploitation of the CVE-2021-40444 once opened. Also, opening the malicious document can cause the launching of a PowerShell script called ‘PowerShortShell’ that can steal sensitive data and transmit them to a C2 server.
Only a day after the tech giant released the vulnerability’s patches, the C2 server mentioned being used by threat actors was launched to collect victims’ Gmail and Instagram accounts as a part of the adversary’s two-part phishing campaigns.
Microsoft has previously disclosed a separate phishing campaign that also exploited the same vulnerability as a part of an initial access campaign to spread Cobalt Strike Beacon loaders. This new attack development is only a recent one in the string of attacks that leveraged the MSTHML vulnerability.