Security News > 2021 > November > Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware

A new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a new PowerShell-based information stealer designed to harvest extensive details from infected machines.

The phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents.

The vulnerability was patched by Microsoft in September 2021, weeks after reports of active exploitation emerged in the wild.

"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," the Windows maker had noted.

While infections involving the deployment of the info-stealer were observed on September 15, a day after Microsoft issued patches for the flaw, the aforementioned C2 server was also employed to harvest victims' Gmail and Instagram credentials as part of two phishing campaigns staged by the same adversary in July 2021.

The development is the latest in a string of attacks that have capitalized on the MSTHML rendering engine flaw, with Microsoft previously disclosing a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.

News URL

https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html