MassLogger was originally discovered in April 2020.
A new version of the infamous credential stealer trojan called MassLogger has resurfaced in a phishing campaign stealing credentials from instant messenger apps, MS Outlook, and Google Chrome.
Campaign active in several countries
The campaign was discovered by Cisco Talos researchers who learned that it is mainly affecting users in Turkey, Spain, Russia Italy, and Latvia. The campaign is active since mid-January.
According to researchers, the MassLogger variant disguises its malicious RAR files at the start of the infection chain, a new move from the operators. This helps the malware sidestep detection tools that can potentially block RAR extension-based email attachments.
Malware operators using multi-modular approach
According to a blog post published by researchers, that the malware operator(s) employ a multi-modular approach in this campaign right from the first step of the phishing email to dropping the final payload. Although it allows them to evade detection, it could be a weakness as the defenders will get plentiful opportunities to break the kill-chain.
The phishing email contains a legit-looking subject line related to a business. For instance, one of the emails sent to Turkey users had the subject line “Domestic Customer Inquiry.”
Later, the operators sent emails in the form of a “memorandum of understanding” compelling the recipients to sign the document.
What is MassLogger?
It is spyware that can swipe user credentials from a variety of platforms, including Chrome and Outlook. The new variant is a . NET-based malware that can hinder static analysis. It was first spotted in the wild in April 2020. However, the new variant is far more potent as malware authors have successfully retooled it to evade detection.
How does it work?
In the present campaign, apart from exfiltrating data through FTP, SMTP, or HTTP, the latest MassLogger variant version 3.0.7563.31381 features an additional functionality of pilfering Pidgin messenger client, NordVPN, Discord, Thunderbird, Firefox, QQ Browser, Chrome, Edge, Opera, and Brave credentials.
The malware can be configured as a keylogger, but this functionality is disabled in the present campaign.
“Users are advised to configure their systems for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its deobfuscated format,” Cisco Talos researchers advised.