MassLoger is one of the most popular credential stealers out there, and it’s been detected in a new phishing campaign. The malware is capable of harvesting login details from Microsoft Outlook, Google Chrome, and some instant messenger applications.
The latest attacks were detected in Turkey, Latvia, and Italy last month. Last year, similar malware campaigns were detected against users in Bulgaria, Romania, Hungary, Lithuania, Estonia, and Spain, possibly by the same threat actor.
MassLoger 2021 Phishing Campaigns
First detected in April 2020, MassLoger’s new variant shows that its authors continue to work on its improvement in terms of detection evasion and monetization. The latest campaign of the malware was analyzed by Cisco Talos researchers.
How does the MassLoger infection chain work?
Since the malware is spread in phishing emails, the first step of the infection would be to open the malicious message. Usually, these emails are designed to look as legitimate as possible, having a subject line related to a business. Inside the email is a “RAR attachment with a slightly unusual filename extension”:
The usual filename extension for RAR files is .rar. However, RAR-compressed archives can also be split into multi-volume archives. In this case, the filename creates files with the RAR extension named “r00” and onwards with the .chm file extension. This naming scheme is used by the Masslogger campaign, presumably to bypass any programs that would block the email attachment based on its file extension, the report explained.
It should be noted that every infection stage is obfuscated via simple signatures to bypass security detections. The second stage includes a PowerShell script deobfuscated into a downloader that loads the main PowerShell loader. The malware loader is likely hosted on compromised legitimate hosts.
The main payload is a new variant of MassLogger that retrieves and exfiltrates user credentials for several applications. Both home and business users are at risk. Even though the malware can be used as a keylogger, the latest campaign has this feature disabled.
“The observed campaign is almost entirely executed and present only in memory, which emphasizes the importance of conducting regular and background memory scans. The only component present on disk is the attachment and the compiled HTML help file,” Cisco Talos said in conclusion.
What can users do to avoid MassLogger infections?
You should configure your operating system for logging PowerShell events, like module loading and executed script blocks. This configuration will show you executed code in a deobfuscated format.
You can also have a look at our dedicated MassLogger Trojan removal guide.