Masslogger - malicious code possesses the ability to steal all the login information of Chrome, Edge Outlook of the target

Masslogger - a notorious trojan that steals login credentials targeting Windows systems has officially hit a dangerous 'comeback' in a new phishing campaign, aimed at stealing credentials Import from Microsoft Outlook, Google Chrome and a series of popular instant messaging applications today.

Primarily targeting users in Turkey, Latvia and Italy starting mid-January, these attacks were essentially related to the use of MassLogger - a .NET-based malware ability to interfere with the process of static analysis (static analysis).

Through initial analysis, experts say there is a clear similarity between these new attacks and an earlier campaign targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain in January. 9, 10 and 11, 2020. The similarities come from both the attack method and the malicious agent.

MassLogger was first discovered in April last year and has been storming since then. However, the recently discovered MassLogger variant is an all-new 'upgrade', making them more dangerous and difficult to cope with.

'Although the activities of the Masslogger trojan have been relatively well documented before, we found a significant difference in this campaign. For example, the malware uses the compiled HTML file format to initiate the infection sequence, "said the researchers from Cisco Talos, the group responsible for monitoring Masslogger's activity.

Compiled HTML (or .CHM) is a proprietary online help format developed by Microsoft, and is used to provide topic-based reference information.

The new wave of attacks began with phishing emails containing "legitimate looking" headlines and extremely sophisticated camouflage, seemingly relevant to a particular business.

Regardless of the subject, the attachments in the fake email follow the same format: The RAR file has a fairly long header with various strings of characters (for example, "70727_YK90054_Teknik_Cizimler.R09").

These attachments contain a single compiled HTML file that, when opened, displays the message "Customer service ', but is in fact embedded with scrambled JavaScript code to create the HTML page. , from there, contains the PowerShell downloader to connect to the legitimate server and fetch the downloader that is ultimately responsible for launching the MassLogger malware payload.

In addition to extracting accumulated data via SMTP, FTP or HTTP, the latest version of MassLogger (version 3.0.7563.31381) also adds the ability to steal login information from messaging apps Pidgin, Discord, NordVPN, Outlook, Thunderbird, Firefox, QQ Browser, and Chromium-based browsers like Chrome, Edge, Opera, and Brave.

The new offensive campaign along with a more dangerous variant of Masslogger is still being closely watched.

Jessica Tanner

Update 26 February 2021