HomesecurityHackers exploit Microsoft MSHTML RCE bug to steal Google and Instagram ...

Hackers exploit Microsoft MSHTML RCE bug to steal Google and Instagram credentials

Security researchers SafeBreach Labs have identified an Iranian group of threats, which steals credentials for Google and Instagram accounts, belonging mainly to targets who speak the Farsi dialect. Hackers steal Google and Instagram credentials using one PowerShell-based stealer (named by PowerShortShell researchers) and utilizing a Microsoft MSHTML RCE bug.

See also: Malware tries to take advantage of the new Windows Installer zero-day

Google Instagram credentials MSHTML bug

The info stealer is also used for Telegram monitoring and system information collection from compromised devices. This information is sent to servers controlled by the attacker, along with stolen Google and Instagram credentials.

According to SafeBreach Labs, the attacks (reported on Twitter in September) began in July as spear-Phishing emails. Target Windows users with malicious Winword attachments, exploiting a Microsoft MSHTML RCE bug (CVE-2021-40444).

The PowerShortShell stealer payload is executed by a DLL, which has been downloaded on compromised systems. The PowerShell script starts collecting data and screen snapshots and sending them to the attacker.

"Almost half of the victims are in United States. Based on the contents of the Microsoft Word document and the data collected, we assume that the victims may be Iranians living abroad and may be considered a threat to the Islamic regime in Iran." said ο Tomer Bar, Director of Security Research at SafeBreach Labs.

See also: Hackers develop Linux malware on e-commerce servers

hackers credentials
Hackers exploit Microsoft MSHTML RCE bug to steal Google and Instagram credentials

"The attacker may be linked to the Islamic regime in Iran, as Telegram surveillance is characterized by Iranian threat agents such as Infy, Ferocious Kitten and Rampant Kitten.".

The CVE-2021-40444 RCE error affecting IE's MSTHML rendering engine has been exploited since August 18. Two weeks later, Microsoft released a security advisory with a partial solution to the problem, and a regular patch was released shortly afterwards.

Most recently, the bug was used by the gang ransomware Magniber to encrypt victims' devices.

Microsoft also said that many threatening factors, including gangs ransomware, have taken advantage of this MSHTML RCE error with malicious Office documents delivered via phishing attacks.

See also: FBI: Warns of brand phishing targeting high profile clients

Unsurprisingly, more and more cybercriminals are using CVE-2021-40444 exploits, as threat carriers began sharing tutorials and proof-of-concept exploits on hacking forums, even before the bug was fixed.

This probably allowed other actors and threat groups to start exploiting the error for their own attacks.

Source: Bleeping Computer

Digital fortress
Pursue Your Dreams & Live!