This old Internet Explorer bug is being used to steal Google, Instagram logins

News
By Sead Fadilpašić
published

It also monitors Telegram chats, experts warn

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

A new infostealer is making rounds on the web, grabbing Google and Instagram credentials and monitoring the victims’ Telegram correspondence, cyber-researchers are saying.

As reported by Bleeping Computer, security researchers from SafeBreach Labs have recently discovered a new Iranian threat actor, who’s been targeting the Farsi-speaking community all over the world with the new malware. 

The malware is a PowerShell-based stealer called PowerShortSell. It exploits a Microsoft MSHTML remote code execution (RCE) bug, tracked under the ticker CVE-2021-40444. To infect a device, the attacker first needs to execute a spear-phishing attack, sending a Microsoft Word attachment that can execute a DLL downloaded by running the malicious file.

Once the downloaded DLL launches PowerShortSell, the malware starts collecting data, stealing passwords, taking screenshots, and sending all of the data to the attacker’s command-and-control server.

Targeting enemies of the establishment

According to Tomer Bar, Director of Security Research at SafeBreach Labs, the targets seem to be “Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime”. Bar came to this conclusion after analyzing the contents of the Word document sent out in the phishing attack, in which Iran’s leaders are blamed for a “Corona massacre”. 

"The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran's threat actors like Infy, Ferocious Kitten, and Rampant Kitten,” he added.

Almost half of all of the victims (45.8%) live in the United States, with the remainder being in The Netherlands (12.5%), Russia, Germany, and Canada (8.3%). 

CVE-2021-40444 RCE bug, which impacts Internet Explorer’s MSTHML rendering engine, was patched mid-September this year. It was first spotted in the wild three weeks prior, as the Iranians were not the only group to abuse the discovered vulnerability. 

In fact, threat actors were sharing tutorials and proof-of-concepts on hacking forums long before Microsoft managed to patch it up, Bleeping Computer finds.

You might also want to check out our list of the best security keys out there

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.