New variant of MassLogger Trojan stealing Chrome, Outlook data

MassLogger was originally discovered in April 2020 but now it has been updated to target Windows devices to steal Chrome and MS Outlook data.

MassLogger was originally discovered in April 2020.

A new version of the infamous credential stealer trojan called MassLogger has resurfaced in a phishing campaign stealing credentials from instant messenger apps, MS Outlook, and Google Chrome.

The new version of the trojan targets Windows users using a compiled HTML file format, which initiates the infection chain. This format is used typically for Windows Help files. However, it may also contain active script components, which in this case is JavaScript that launched the malware operations.

Campaign active in several countries

The campaign was discovered by Cisco Talos researchers who learned that it is mainly affecting users in Turkey, Spain, Russia Italy, and Latvia. The campaign is active since mid-January.

According to researchers, the MassLogger variant disguises its malicious RAR files at the start of the infection chain, a new move from the operators. This helps the malware sidestep detection tools that can potentially block RAR extension-based email attachments.

Malware operators using multi-modular approach

According to a blog post published by researchers, that the malware operator(s) employ a multi-modular approach in this campaign right from the first step of the phishing email to dropping the final payload. Although it allows them to evade detection, it could be a weakness as the defenders will get plentiful opportunities to break the kill-chain.

The phishing email contains a legit-looking subject line related to a business. For instance, one of the emails sent to Turkey users had the subject line “Domestic Customer Inquiry.”

Later, the operators sent emails in the form of a “memorandum of understanding” compelling the recipients to sign the document.

The emails are embedded with obfuscated JavaScript code to create an HTML page. This page contains a PowerShell downloaded that establishes a connection with a legitimate server and fetches the loader to launch the MassLogger payload.

Phishing email containing MassLogger trojan target victims in Spain

What is MassLogger?

It is spyware that can swipe user credentials from a variety of platforms, including Chrome and Outlook. The new variant is a . NET-based malware that can hinder static analysis. It was first spotted in the wild in April 2020. However, the new variant is far more potent as malware authors have successfully retooled it to evade detection.

How does it work?

In the present campaign, apart from exfiltrating data through FTP, SMTP, or HTTP, the latest MassLogger variant version 3.0.7563.31381 features an additional functionality of pilfering Pidgin messenger client, NordVPN, Discord, Thunderbird, Firefox, QQ Browser, Chrome, Edge, Opera, and Brave credentials.

The malware can be configured as a keylogger, but this functionality is disabled in the present campaign.

“Users are advised to configure their systems for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its deobfuscated format,” Cisco Talos researchers advised.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Related Posts