- MassLogger spyware has come back in a new variant with more powers.
- According to Cisco researchers, the spyware can no go undetected in Windows.
- It targets users and steals their credentials from browsers and apps.
Probably the best and the worst thing about hackers is that they keep improving their malicious vendors to attain their goal. The latest example is the reemergence of a credential-stealing campaign that affects Windows systems and steals information from Google Chrome browser Microsoft Outlook app, and instant messaging apps installed on the machine. Security researchers at Cisco Talos said Wednesday, the series of attacks have been found to have targeted users in Turkey, Latvia, and Italy primarily but some similar campaigns have irked users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain last year.
How does Masslogger work?
In the words of Cisco Talos researchers, "infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business." This email has a RAR file with an unusual file extension. Normally, a RAR file has a .rar extension but the attachment has a .r00 extension, which imitates the characteristics of a RAR file, only to bypass any detection programs that filter out attachments on the basis of file extensions. Later, this extension changes to .chm.
Now the main payload here is the actual Masslogger variant that fetches user credentials from several sources, such as browsers and instant messaging apps, impacting both personal and business users. Masslogger can also be configured as a keylogger that tracks keystrokes but this variant does not have this functionality, the researchers said in the report.
Some of the examples of this spyware include the mail scanned by researchers with the subject line saying "Domestic customer inquiry". The email body had an attachment that was aimed at compromising the user's computer with the malware attack. The file was named "70727_YK90054_Teknik_Cizimler.R09" where the RAR file had a different extension than .rar. Researchers have observed that this Masslogger variant not only exfiltrates data from SMTP, FTP, and HTTP locations, but it also steals data from Pidgin messenger client, Discord, NordVPN, Outlook, Thunderbird, Firefox, QQ Browser, and all Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, and Brave.
How to protect your Windows machine?
Researchers have advised that users should never open a suspicious-looking email and if they have, they should refrain from downloading or clicking on any email attachments. Using advanced malware protection solutions is an ideal alternative to protect your machine and not just emails.