1 min read

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials

Silviu STAHIE

November 26, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials

A threat actor from Iran is responsible for a wave of phishing attacks that deploy malware and steal various private data, security researchers have discovered.

Phishing campaigns are often very decentralized, meaning they originate from multiple sources and countries. Identifying a particular threat actor is difficult, but it's not impossible, especially when that actor does more than just spread a regular phishing campaign.

SafeBreach security researchers took a closer look at an Iranian threat actor originally identified in September 2021, but it turns out he was active long before that. He was targeting Farsi-speaking victims, mostly in the US.

"Almost half of the victims are located in the United States," said the researchers. "Based on the Microsoft Word document content - which blames Iran's leader for the 'Corona massacre' and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran's Islamic regime."

Victims receive an email with a Word file attached. If the user opens the file, a malicious HTML drops a DLL file in the system. That DLL eventually runs a powerful PowerShell script that can exfiltrate a lot of data.

Some of the stolen information contains system details, such as the configuration, IP address, and more. The script even downloads all documents it finds, whether Office, PDF or TXT. The attackers also download Telegram, Instagram, and Gmail files and credentials.

Security researchers determined the source of the attacks and the main targeted countries. They also published the script's source code, along with all relevant indicators of compromise.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Data of 500,000 already vulnerable people stolen from Red Cross Data of 500,000 already vulnerable people stolen from Red Cross
Radu CRAHMALIUC

January 20, 2022

1 min read
Printing Giant RR Donnelley Forced into Talks with Conti Ransomware Group to Stave Off Corporate Data Leak Printing Giant RR Donnelley Forced into Talks with Conti Ransomware Group to Stave Off Corporate Data Leak
Filip TRUȚĂ

January 20, 2022

1 min read
Top Five Security Tips for Mac Users in 2022 Top Five Security Tips for Mac Users in 2022
Filip TRUȚĂ

January 19, 2022

4 min read