Microsoft’s Bug Exploited by Threat Actor; Multiple Users Compromised!

In a yet worsening turn of events for the American IT giants, an Iranian cyber actor is exploiting a Microsoft bug to steal the user credentials of Farsi-speaking Google and Instagram users across the globe. The threat actor is employing PowerShortShell, a PowerShell-based tool, said the researchers at SafeBreach Labs.

The tool is also used to surveil Telegram users and gather information from the compromised communication systems. The information is transmitted to the servers controlled by the attacker, along with the credentials obtained unlawfully.

The attackers were employing spear-phishing emails, which began in July, stated SafeBreach Labs. The attacks were first brought to light by Shadow Chaser Group in September.

It was found that the threat actor was compromising Windows-based users with a contaminated MS Word attachment which escaped detection as they utilized MSHTML remote code execution (RCE) flaw. This Microsoft bug is titled CVE-2021-40444.

Also Read: IKEA Suffers Reply-chain Phishing Attack, Same as Microsoft Exchange Server Hack!

The PowerShortShell, which is a tool for theft, is surreptitiously installed on compromised servers. Once installed, the threat actor would receive the data and several screenshots PowerShortShell sends back to the server designated by the threat actor.

“Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the ‘Corona massacre’ and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime,” stated Tomer Bar, a director at SafeBreach Labs.

“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten.”

Also Read: Microsoft Exchange Hack: Attackers Send Spams as Replies to Existing Email Chains!

The bug was previously exploited on August 18, two weeks before Microsoft issued an advisory that provided a workaround before the Windows manufacturer released a security patch. However, this bug was exploited by the Magniber ransomware gang, which executed a cyberattack recently.


Microsoft acknowledged the bug by stating that multiple threat actors have exploited this bug and delivered spiked Office documents using phishing attacks.

Microsoft said the bug was abused “as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.”

This is not the first time unethical hackers exploited CVE-2021-40444. The bug exploits have been discussed widely. Some had gone the extra mile to prepare tutorials on exploiting it before Microsoft released the patch.

Also Read: Online Shoppers at Risk of Losing over USD 53 Million During 2021 Holiday Season!

This widespread discussion may have accelerated the bug exploitation since its discovery. It is to be observed that the tutorials about CVE-2021-40444 are straightforward to follow. It allows one to create a malicious tool that can propagate dangerous documents.

This incident underscores how important it is to detect and swiftly plug gaping holes. Stealthlabs, a leading security solutions provider, can help you with this. Be it a minor or major gaping bug; we fire on all cylinders to protect our clients. Reach to us and fortify your solutions.

Contact Us

More News: