Select Page

A new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a new PowerShell-based information stealer designed to harvest extensive details from infected machines.

“[T]he stealer is a PowerShell script, short with powerful collection capabilities — in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim’s environment,” SafeBreach Labs researcher Tomer Bar said in a report published Wednesday.

Nearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at “Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime.”

The phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents. The vulnerability was patched by Microsoft in September 2021, weeks after reports of active exploitation emerged in the wild.

images from Hacker News