Security News > 2021 > November > Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware
A new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a new PowerShell-based information stealer designed to harvest extensive details from infected machines.
The phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents.
The vulnerability was patched by Microsoft in September 2021, weeks after reports of active exploitation emerged in the wild.
"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," the Windows maker had noted.
While infections involving the deployment of the info-stealer were observed on September 15, a day after Microsoft issued patches for the flaw, the aforementioned C2 server was also employed to harvest victims' Gmail and Instagram credentials as part of two phishing campaigns staged by the same adversary in July 2021.
The development is the latest in a string of attacks that have capitalized on the MSTHML rendering engine flaw, with Microsoft previously disclosing a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.
News URL
https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html
Related news
- Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Microsoft: Russian hackers accessed internal systems, code repositories (source)
- Hackers leverage 1-day vulnerabilities to deliver custom Linux malware (source)
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware (source)
- Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites (source)
- Russian Hackers May Have Targeted Ukrainian Telecoms with Upgraded 'AcidPour' Malware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-09-15 | CVE-2021-40444 | Path Traversal vulnerability in Microsoft products <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. | 8.8 |