Security experts from SafeBreach Labs identified a new Iranian threat actor group exploiting a Microsoft MSHTML Remote Code Execution (RCE) flaw – CVE-2021-40444. The group reportedly used a new PowerShell stealer code, dubbed PowerShortShell, to target social media accounts of Farsi-speaking users since mid-September 2021.
PowerShortShell Explained
SafeBreach Labs researchers stated the threat actor group leveraged spear-phishing emails to distribute PowerShortShell script across the targeted devices. PowerShortShell provided the hackers access to critical data, including screen captures, telegram files, document collection, and extensive data about the victim’s environment. While the operators behind the PowerShortShell campaign are unknown, the researchers stated the group might be linked to Iran’s Islamic regime.
“Based on the Microsoft Word document content, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime. The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits for the infection is unique to Iranian threat actors, which heavily rely on social engineering tricks,” the researchers said.
PowerShortShell Attack Sequence
- The attack starts by sending a spear phishing mail (with a Winword attachment) that the victim is lured to open.
- It then exploits Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444.
- The Word file connects to the malicious server, executes the malicious HTML, and then drops a DLL to the %temp% directory.
- The malicious DLL executes the PowerShell script.
- inf is a DLL that downloads and executes the final payload (PowerShell script).
- The PowerShell script collects data and exfiltrates it to the attacker’s C2 server.
Also Read: Microsoft Identifies Six Iranian State Actor Groups Deploying Ransomware
The researchers found two phishing campaigns intended to harvest credentials for Gmail and Instagram using the C2 server – Deltaban[.]dedyn[.]io – a phishing HTML page masquerading as the legit deltaban.com travel agency.
Victims Affected
While the exact victims of PowerShortShell are unknown, the number of reported victims include the U.S. (45.8%), followed by the Netherlands (12.5%), Russia (8.3%), Canada (8.3%), Germany (8.3%), China (4.2%), and India (4.2%).
Indicators of Compromise (IOC)
- dedyn.io – C2 and infection server
- dedyn.io – phishing
- dedyn.io – phishing
- dedyn.io – phishing