Industry: N/A | Level: Tactical | Source: SafeBreach
Research from SafeBreach Labs investigated activity from an Iranian threat actor utilizing MSHTML vulnerability CVE-2021-40444, along with a PowerShell information stealer script designated as “PowerShortShell.” The PowerShell script is named due to its short 153 lines of code that collects and provides crucial information about the victim’s environment to the adversary. The collected information includs screen captures, telegram files, and document collection. The described attack chain involves a malicious email and word document and a DLL drop to the %temp% directory that downloads and executes the PowerShortSell.
- Anvilogic Scenario: AVL_UC8308 – PowerShortShell Behaviors