MassLoger is one of the most popular credential stealers out there, and it’s been detected in a new phishing campaign. The malware is capable of harvesting login details from Microsoft Outlook, Google Chrome, and some instant messenger applications.
The latest attacks were detected in Turkey, Latvia, and Italy last month. Last year, similar malware campaigns were detected against users in Bulgaria, Romania, Hungary, Lithuania, Estonia, and Spain, possibly by the same threat actor.
MassLoger 2021 Phishing Campaigns
First detected in April 2020, MassLoger’s new variant shows that its authors continue to work on its improvement in terms of detection evasion and monetization. The latest campaign of the malware was analyzed by Cisco Talos researchers.
“Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain. This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware’s processes,” the team said.
How does the MassLoger infection chain work?
Since the malware is spread in phishing emails, the first step of the infection would be to open the malicious message. Usually, these emails are designed to look as legitimate as possible, having a subject line related to a business. Inside the email is a “RAR attachment with a slightly unusual filename extension”:
The usual filename extension for RAR files is .rar. However, RAR-compressed archives can also be split into multi-volume archives. In this case, the filename creates files with the RAR extension named “r00” and onwards with the .chm file extension. This naming scheme is used by the Masslogger campaign, presumably to bypass any programs that would block the email attachment based on its file extension, the report explained.
It should be noted that every infection stage is obfuscated via simple signatures to bypass security detections. The second stage includes a PowerShell script deobfuscated into a downloader that loads the main PowerShell loader. The malware loader is likely hosted on compromised legitimate hosts.
The main payload is a new variant of MassLogger that retrieves and exfiltrates user credentials for several applications. Both home and business users are at risk. Even though the malware can be used as a keylogger, the latest campaign has this feature disabled.
“The observed campaign is almost entirely executed and present only in memory, which emphasizes the importance of conducting regular and background memory scans. The only component present on disk is the attachment and the compiled HTML help file,” Cisco Talos said in conclusion.
What can users do to avoid MassLogger infections?
You should configure your operating system for logging PowerShell events, like module loading and executed script blocks. This configuration will show you executed code in a deobfuscated format.
You can also have a look at our dedicated MassLogger Trojan removal guide.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: