Masslogger Spyware Campaign Evolves

Masslogger Spyware Campaign Evolves

Online security is evolving quickly and threat teams are working tirelessly to deconstruct the workings of cybercriminals. This fact is making it increasingly difficult for cybercriminals and threat groups to conduct disruptions and attacks. Nonetheless, cybercriminals today have an increasing arsenal of cyberweapons to deploy upon the internet. The types of malware cybercriminals aim to inject include anything that will lead to heavy-hitting ransomware campaigns, fraudulent email phishing schemes, and far-reaching spyware strategies -which in this case is a persistent ‘masslogger’ spyware campaign.

In a new report released today by Cisco Talos Intelligence Group, ongoing analysis into an international spyware campaign targeting home and business users known as the Masslogger has heralded the news of a novel, evolving aspect of this malicious project.

What is a Masslogger?

Cisco Talos intelligence stated in their report that a Masslogger is essentially a trojan malware (malicious program), designed to “retrieve and exfiltrate user credentials”. The trojan is spyware-heavy, in that it is intended to ‘spy’ and basically steal information. This variant of the Masslogger has been designed to infiltrate and steal data from email, browser, and messaging services. The scheme begins with a simple email containing a (dubious) RAR attachment, which leads the user down the rabbit hole to the final ‘payload’ which activates s Powershell script that downloads the trojan program.

  • Masslogger is multi-modular which means it has several stages of infection
  • Masslogger’s main process is a ‘keylogger
  • Masslogger is designed to steal user credentials
  • Masslogger is socially engineered to bait the user into clicking a malicious email link
  • Masslogger targets home and business users

Masslogger functions on a “memory-only” basis (remains in volatile memory) and therefore attempts to be an undetectable chain of events. Critically, Masslogger will attempt to exclude itself from security programs and will boot up with the computer even spreading to USB if available.

Masslogger was created by NYANxCAT, an active ‘underground user’. It was first released in April 2020, and the program was also sold on ‘underground’ forums, for a “moderate price with a few licensing options” ($30 for 3 months, or $50 for lifetime).

Past Masslogger Campaigns

Earlier instances of a similar campaign orchestrated by the same ‘actor’ were uncovered in September through November 2020. Analysis by Cisco Talos indicated that users in the following countries were affected;

  • Bulgaria
  • Lithuania
  • Estonia
  • Hungary
  • Romania
  • Spain

The campaign used a multi-modular approach that comprised of an “initial phishing email” containing a current and interesting subject that was business-related. Additionally, a RAR (compressed file) attachment with a “slightly unusual filename extension” was attached to the email. The RAR file extension naming scheme was a signature component of the Masslogger campaign. Multi-volume RAR archives (split beforehand) containing the extension “r00” and “.chm” was the naming scheme of the Masslogger campaign. Cisco Talos suggests that this was done to “bypass any programs that would block the email attachment based on its file extension”.

The earlier campaigns focused on the user “signing a memorandum of understanding” (MOU) and had malicious links attached. Furthermore, the line “Please return signed and stamped. Best regards” would be in the body.

What is The New Development

Cisco Talos has stated that what “distinguishes the individual actors behind each campaign” is the infection chain and the contextual information. They believe that the same actor was behind the ‘AsyncRAT’ and ‘AgentTesla Formbook’.

The latest campaign had begun in mid-January, according to Cisco Talos. They believe that organizations in Turkey, Latvia, and Italy are targeted. The emails sent to users includes the following;

  • To send ‘quotes’
  • A ‘domestic customer inquiry’
  • Containing ‘important information’
  • Containing a clickable link
  • Possibly an attached RAR File

The HTML component is what distinguishes this new campaign. All of the emails in the new campaign contain a ‘.chm’ filename extension within the attached RAR file. The ‘.chm’ file extension is the default format for Windows Help Files which then leads the user to a ‘Customer service, Please Wait’ window. The window process contains an ActiveX/Powershell downloader, that connects to a “compromised” host.

If the user follows through with the email link, the malicious software will be automatically downloaded to the computer system. Once it is downloaded, the Masslogger can steal credentials from the following (but not limited to);

  • Outlook
  • Chrome browsers
  • Thunderbird
  • NordVPN
  • FileZilla FTP client
  • Pidgin messenger client
  • Discord
  • QQ Browser

Once credentials are stolen, they are uploaded to an external server. Eventually, stolen user credentials will find their way onto the dark web. Cisco Talos also note that the actor behind Masslogger shifts the target countries every month.

Staying Safe From Massloggers

A Masslogger infection chain cannot function if the link in the malicious email is not clicked. For both business users and regular users, it is crucial to always;

  • Conduct background memory scans
  • Never open unknown emails
  • Always use antimalware and antivirus programs
  • Keep software and operating systems updated
Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.