Microsoft MSHTML bug Exploited for Credential Theft

Rewterz Threat Alert – BazarLoader Malware – Active IOCs

November 25, 2021

Rewterz Threat Alert – Thanos Ransomware – Active IOCs

November 25, 2021

Microsoft MSHTML bug Exploited for Credential Theft – Active IoCs

Severity

Medium

Analysis Summary

The MSHTML bug is being used by a newly discovered Iranian APT group that steals Google and Instagram credentials using a new PowerShell-based stealer named “PowerShortShell”. The targets and Farsi-Speakers worldwide.

Another use for the infostealer is to collect system information and Telegram Surveillance from compromised devices sent to attacker-controlled servers together with the stolen credentials.

The attacks started in September as spear-phishing email campaigns as the attacker sent out windows users malicious Winword attachments that exploit the Microsoft MSHTML RCE bug.

The PowerShortShell stealer payload is executed by a DLL downloaded on compromised systems. Once launched, the PowerShell script starts collecting data and screen snapshots, exfiltrating it to the attacker’s command-and-control server.

“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten.”
“Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime,” said Tomer Bar.

CVE-2021-40444

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Impact

Remote Code Execution
Information Theft
Cyber Espionage

Affected Vendors

Microsoft

Affected Products

MSHTML

Indicators of Compromise

Filename

docx[.]جنایات خامنه ای

MD5

858404225565c80972ba66d2c612e49f

SHA-256

d793193c2d0c31bc23639725b097a6a0ffbe9f60a46eabfe0128e006f0492a08

SHA-1

a448f215d5b0b388e63166b158e3389eaf38b97c

URL

http[:]//hr[.]dedyn[.]io/word[.]html
http[:]//hr[.]dedyn[.]io/word[.]cab
http[:]//hr[.]dedyn[.]io/1[.]ps1
http[:]//hr[.]dedyn[.]io/upload2[.]aspx

Remediation

Users are advised to use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft
Security Update Guide to search for available patches.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Block all threat indicators at your respective controls.
Search for IOCs in your environment.