A variant of the Masslogger Trojan is being used in attacks designed to steal Microsoft Outlook, Google Chrome, and messenger service account credentials.
On Wednesday, cybersecurity researchers from Cisco Talos said the campaign is currently focused on victims in Turkey, Latvia, and Italy, expanding activities documented in late 2020 which targeted users in Spain, Bulgaria, Lithuania, Hungary, Estonia, and Romania.
It appears that targets are changing on close to a monthly basis.
Masslogger was first spotted in the wild in April 2020 under licensing agreements agreed in underground forums. However, the new variant is considered “notable” by Talos due to the use of a compiled HTML file format to trigger an infection chain.
Threat actors begin their attacks in a typical way, which is through phishing emails. In this attack wave, phishing messages masquerade as business-related queries and contain .RAR attachments.
If a victim opens the attachment, they are split into multi-volume archives with the “r00” extension, a feature the researchers believe could be an effort to “bypass any programs that would block [an] email attachment based on its file extension.”
A compiled HTML file, .CHM — the default format for legitimate Windows Help files — is then extracted which contains a further HTML file with embedded JavaScript code. At each stage, code is obfuscated, and eventually leads to a PowerShell script being deployed that contains the Masslogger loader.
The Masslogger Trojan variant, designed for Windows machines and written in .NET, will then begin the exfiltration of user credentials and is not picky in its targets — both home users and businesses are at risk, although it appears the operators are focusing on the latter.
After being stored in memory as a buffer, compressed with gzip, the malware begins harvesting credentials. Microsoft Outlook, Google Chrome, Firefox, Edge, NordVPN, FileZilla, and Thunderbird are among the applications targeted by the Trojan.
Stolen information can be sent through SMTP, FTP, or HTTP channels. Information uploaded to an exfiltration server includes the victim’s PC username, country ID, machine ID, and a timestamp, as well as records relating to configuration options and running processes.
“The observed campaign is almost entirely executed and present only in memory, which emphasizes the importance of conducting regular and background memory scans,” Talos says. “The only component present on disk is the attachment and the compiled HTML help file.”
The researchers note that Masslogger is also able to act as a keylogger, but in this variant, it appears that the keylogging functionality has been disabled.
Cisco Talos believes that based on Indicators of Compromise (IoCs), the cyberattackers can also be linked to the past usage of AgentTesla, Formbook and AsyncRAT Trojans.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0