Nov 25, 2021
0 0

Hackers exploit Microsoft MSHTML bug to steal Google, Instagram creds

Written by

Apple sues spyware-maker NSO Group, notifies iOS exploit targets
Mediatek eavesdropping bug impacts 30% of all Android smartphones
Stealthy new JavaScript malware infects Windows PCs with RATs
Hackers exploit Microsoft MSHTML bug to steal Google, Instagram creds
UK government transport website caught showing porn
How cybercriminals adjusted their scams for Black Friday 2021
Read, edit, and write PDFs with Apple’s App of the year
New Linux malware hides in cron jobs with invalid dates
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Hackers exploit Microsoft MSHTML bug to steal Google, Instagram creds
A newly discovered Iranian threat actor is stealing Google and Instagram credentials belonging to Farsi-speaking targets worldwide using a new PowerShell-based stealer dubbed PowerShortShell by security researchers at SafeBreach Labs.
The info stealer is also used for Telegram surveillance and collecting system information from compromised devices that get sent to attacker-controlled servers together with the stolen credentials.
As SafeBreach Labs discovered, the attacks (publicly reported in September on Twitter by the Shadow Chaser Group) started in July as spear-phishing emails.
They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) bug tracked as CVE-2021-40444.
The PowerShortShell stealer payload is executed by a DLL downloaded on compromised systems. Once launched, the PowerShell script starts collecting data and screen snapshots, exfiltrating it to the attacker’s command-and-control server.
“Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime,” said Tomer Bar, Director of Security Research at SafeBreach Labs.
“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten.”
The CVE-2021-40444 RCE bug impacting IE’s MSTHML rendering engine has been exploited in the wild as a zero-day starting with August 18, more than two weeks before Microsoft issued a security advisory with a partial workaround, and three weeks before a patch was released.
Most recently, it was exploited in conjunction with malicious advertisements by the Magniber ransomware gang to infect targets with malware and encrypt their devices.
Microsoft also said multiple threat actors, including ransomware affiliates, targeted this Windows MSHTML RCE bug using maliciously crafted Office documents delivered via phishing attacks.
These attacks abused the CVE-2021-40444 flaw “as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.”
The deployed beacons communicated with malicious infrastructure connected with several cybercrime campaigns, including but not limited to human-operated ransomware.
It’s not surprising that more and more attackers are using CVE-2021-40444 exploits since threat actors started sharing tutorials and proof-of-concept exploits on hacking forums even before the bug was patched.
This likely allowed other threat actors and groups to start exploiting the security flaw in their own attacks.
The information shared online is simple to follow and makes it easy for anyone to create their own working version of a CVE-2021-40444 exploit, including a Python server that can distribute malicious documents and CAB files to compromised systems.
Using this info, BleepingComputer could also successfully reproduce the exploit in about 15 minutes, as demonstrated in this video demo.
Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug
Google: YouTubers’ accounts hijacked with cookie-stealing malware
Google sent 50,000 warnings of state-sponsored attacks in 2021
Microsoft: Iran-linked hackers target US defense tech companies
Google warns 14,000 Gmail users targeted by Russian hackers
Not a member yet? Register Now
Over nine million Android devices infected by info-stealing trojan
Malware now trying to exploit new Windows Installer zero-day
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.