MSHTML vulnerability has become the focus of threat actors

guest · Sep 23, 2021

Hackers hit Russian ministry, rocket center using MSHTML vulnerability
September 23, 2021
https://www.hackread.com/hackers-russia-ministry-rocket-center-mshtml-vulnerability/

Malwarebytes Intelligence team reports that the MSHTML vulnerability classified as CVE-2021-40444 has become the focus of threat actors targeting Russian government entities.

Malwarebytes researchers intercepted phishing email attachments revealing that attackers were trying to target Russian organizations.
Click to expand...

The CVE-2021-40444 vulnerability involves ActiveX and is an old flaw, but it was discovered recently, and soon enough, threat actors started sharing its PoCs, tutorials, and exploits on hacking forums to let interested individuals obtain step-by-step instructions about how to launch their own attacks.
About the Affected Entities
GREC Makeyev is Russia’s strategic defense and industrial complex for the space and rocket industry. This facility is also the country’s main solid and liquid fuel strategic missile system developer. Hence, it is Russia’s one of the leading R&D centers to develop rocket and space technology.
Click to expand...

How does the Attack Works?
The attack, according to Malwarebytes’ blog post, mainly depends on MSHTML. It loads a specially designed ActiveX control when the receiver opens an infected MS Office document and runs the arbitrary code to infect the system with more malware.
Click to expand...

Malwarebytes: MSHTML attack targets Russian state rocket centre and interior ministry

guest · Nov 24, 2021

Suspected Iranian hacker looks to steal Gmail, Instagram credentials
November 24, 2021
https://therecord.media/suspected-iranian-hacker-looks-to-steal-gmail-instagram-credentials/

An Iranian threat actor discovered earlier this year is responsible for attacks against U.S. targets designed to hoover up Gmail and Instagram credentials, according to research released Wednesday by security firm SafeBreach.

While the actor was originally exposed in September, further analysis by the company found phishing attacks that stretched back to July. Almost half of the phishing campaign’s victims are located in the United States.
The research also uncovered the PowerShell code, which researchers dubbed PowerShortShell, that attackers used to pilfer a range of critical data from victims, such as screenshots and Telegram files.
Click to expand...

SafeBreach said the documents exploited the CVE-2021-40444 vulnerability to drop the malicious PowerShell code, which then gathered data from the infected computer.
Click to expand...

SafeBreach: New PowerShortShell Stealer Exploits Recent Microsoft MSHTML Vulnerability to Spy on Farsi Speakers

SafeBreach Labs discovered a new Iranian threat actor using a Microsoft MSHTML Remote Code Execution (RCE) exploit for infecting Farsi-speaking victims with a new PowerShell stealer. The threat actor initiated the attack in mid-September 2021, and it was first reported by ShadowChasing[1] on Twitter. However, the PowerShell Stealer hash/code was not published and was not included in VirusTotal or other public malware repositories.

SafeBreach Labs analyzed the full attack chain, discovered new phishing attacks which started in July this year and achieved the last and most interesting piece of the puzzle - the PowerShell Stealer code - which we named PowerShortShell.
Click to expand...

guest · Dec 23, 2021

New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw
December 21, 2021

A short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware.

"The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker," SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report published Tuesday.
Click to expand...

CVE-2021-40444 (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents.

The new campaign discovered by Sophos aims to get around the patch's protection by morphing a publicly available proof-of-concept Office exploit and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a "too-narrowly focused patch."

"In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file," the researchers explained. "When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive."
Click to expand...

SophosLabs: Attackers test “CAB-less 40444” exploit in a dry run

An updated exploit takes a circuitous route to trigger a Word document into delivering an infection without using macros
Click to expand...

Log in or Sign up

MSHTML vulnerability has become the focus of threat actors

guest Guest

guest Guest

guest Guest

Log in or Sign up

MSHTML vulnerability has become the focus of threat actors

guest Guest

guest Guest

guest Guest

Useful Searches