Business Today
Loading...

Masslogger Trojan spreads fast, steals passwords from Chrome and Outlook

Security researchers at Cisco Talos have found a new variant of old spyware that has attacked the Windows platform for years.

twitter-logoShubham Verma | February 19, 2021 | Updated 16:41 IST

Highlights

  • MassLogger spyware has come back in a new variant with more powers.
  • According to Cisco researchers, the spyware can no go undetected in Windows.
  • It targets users and steals their credentials from browsers and apps.

Probably the best and the worst thing about hackers is that they keep improving their malicious vendors to attain their goal. The latest example is the reemergence of a credential-stealing campaign that affects Windows systems and steals information from Google Chrome browser Microsoft Outlook app, and instant messaging apps installed on the machine. Security researchers at Cisco Talos said Wednesday, the series of attacks have been found to have targeted users in Turkey, Latvia, and Italy primarily but some similar campaigns have irked users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain last year.

According to the researchers, this new campaign uses Masslogger, which is a famous .NET-based spyware programme aimed at stealing information from browsers and social media apps released in April last year. This new variant used in the campaign is found to be more powerful in terms of escaping detection and opens a revenue stream simultaneously for hackers. It uses compiled HTML file format to start the infection chain where it goes nearly undetected at all security levels in Windows. This type of file format is used for Windows Help files and contains active scripts but in the case of Masslogger's new variant, there is JavaScript to trigger the malware.

How does Masslogger work?

In the words of Cisco Talos researchers, "infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business." This email has a RAR file with an unusual file extension. Normally, a RAR file has a .rar extension but the attachment has a .r00 extension, which imitates the characteristics of a RAR file, only to bypass any detection programs that filter out attachments on the basis of file extensions. Later, this extension changes to .chm.

Now, the researchers say the CHM "is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process." Every stage in the process is "obfuscated" to escape detection "using single signatures." The second stage is essentially creating a PowerShell script that deciphers the code into a downloader, which downloads the main PowerShell loader to host malware files. "The Masslogger loaders seem to be hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg," the researchers said in the report, for instance, "D9.jpg".

Now the main payload here is the actual Masslogger variant that fetches user credentials from several sources, such as browsers and instant messaging apps, impacting both personal and business users. Masslogger can also be configured as a keylogger that tracks keystrokes but this variant does not have this functionality, the researchers said in the report.

Some of the examples of this spyware include the mail scanned by researchers with the subject line saying "Domestic customer inquiry". The email body had an attachment that was aimed at compromising the user's computer with the malware attack. The file was named "70727_YK90054_Teknik_Cizimler.R09" where the RAR file had a different extension than .rar. Researchers have observed that this Masslogger variant not only exfiltrates data from SMTP, FTP, and HTTP locations, but it also steals data from Pidgin messenger client, Discord, NordVPN, Outlook, Thunderbird, Firefox, QQ Browser, and all Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, and Brave.

How to protect your Windows machine?

Researchers have advised that users should never open a suspicious-looking email and if they have, they should refrain from downloading or clicking on any email attachments. Using advanced malware protection solutions is an ideal alternative to protect your machine and not just emails.

  • Print
  • COMMENT
BT-Story-Page-B.gif
A    A   A
close