It seems that a newly found Iranian threat actor is stealing Google and Instagram credentials from Farsi-speaking targets all around the world employing a new PowerShell-based stealer named PowerShortShell.
The data stealer is also used for Telegram monitoring and gathering system information from infected machines, which is then delivered to attacker-controlled servers along with the stolen credentials.
They target Windows users with malicious Word attachments that take advantage of a Microsoft MSHTML remote code execution (RCE) issue identified as CVE-2021-40444. A DLL obtained on infected computers executes the PowerShortShell stealer payload.
When executed, the PowerShell script begins to gather data and screenshots, that will be later sent to the attacker’s command-and-control server.
Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the “Corona massacre” and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime. The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits