MSHTML Bug Exploited to Steal Credentials

Iranian threat actor is stealing Google and Instagram credentials using a new PowerShell based theft tool which is also used to monitor Telegram and collect system information from the compromised devices which are sent to the servers controlled by the attackers along with the stolen credentials.

They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML RCE bug that is being tracked as CVE-2021-40444.

The PowerShell stealer payload is executed by a DLL file downloaded on the compromised systems. Once after the execution, the PowerShell script starts collecting data and screenshots, and transmits them to the attacker’s C2C.

The CVE-2021-40444 RCE bug affecting IE’s MSTHML rendering engine was exploited in the wild as zeroday. Recently, it was exploited in conjunction with malicious ads by the Magniber ransomware gang to infect targets with malware and encrypt their devices.

Microsoft also said that several threat actors, including ransomware affiliates, targeted this Windows MSHTML RCE bug using maliciously generated Office documents delivered via phishing attacks.

These attacks abused the CVE-2021-40444 flaw as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. Attackers are using the CVE-2021-40444 exploit since threat actors started sharing tutorials and proof-of-concept exploits on hacking forums even before the bug was patched.