November 24, 2021

PowerShortShell

Industry: N/A | Level: Tactical | Source: SafeBreach

Research from SafeBreach Labs investigated activity from an Iranian threat actor utilizing MSHTML vulnerability  CVE-2021-40444, along with a PowerShell information stealer script designated as “PowerShortShell.” The PowerShell script is named due to its short 153 lines of code that collects and provides crucial information about the victim’s environment to the adversary. The collected information includs screen captures, telegram files, and document collection. The described attack chain involves a malicious email and word document and a DLL drop to the %temp% directory that downloads and executes the PowerShortSell.