Home News Attackers Reinvent Masslogger Trojan to Target Popular Brands

Attackers Reinvent Masslogger Trojan to Target Popular Brands

A new version of the Masslogger Trojan is now using a compiled HTML file format to start an infection chain and evade detection.

Malware and Vulnerability Trends Report, Mobile malware threats

A new version of the Masslogger Trojan has been targeting Windows users in a new phishing campaign. Cybersecurity experts from Cisco Talos stated that they’ve found an improved version of the Masslogger Trojan, designed to pilfer login credentials from popular applications like Microsoft Outlook, Google Chrome, and other messenger accounts. The new Masslogger phishing campaign, which was uncovered in mid-January 2021, targeted users across Italy, Latvia, and Turkey.

What is Masslogger?

Masslogger is a spyware written in .NET to steal user credentials from browsers, popular messaging applications, and email clients.

Improved Masslogger Trojan

First identified in April 2020, the malware authors are selling the updated versions of the Trojan to other malicious actors on underground dark web forums.

Researchers found that Masslogger operators can evade detection by disguising their malicious RAR files as Compiled HTML files. The discovery of the new variant of the Trojan indicates how malware developers are constantly updating their hacking methods.

“Although operations of the Masslogger Trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain. This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware’s processes,” researchers said.

How Masslogger Trojan Attacks

The infection starts with an email with a malicious RAR attachment and a legitimate-looking subject line claiming to be from a business. The filename creates files with the RAR extensions named .rar, .r00, and .chm to bypass any programs that would block the email attachment based on its file extension. The payloads are hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg.

The Masslogger Trojan payload is designed to retrieve and exfiltrate user credentials from a variety of sources. According to Cisco Talos, the new version of Masslogger has the capabilities to target and retrieve credentials from the various other applications like:

  • Pidgin messenger client
  • FileZilla FTP client
  • Discord
  • NordVPN
  • Outlook
  • FoxMail
  • Thunderbird
  • Firefox
  • QQ Browser
  • Chromium-based browsers (Chrome, Chromium, Edge, Opera, Brave)

“While most of the public attention seems to be focused on ransomware attacks, big game hunting, and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users’ credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks. Based on the IOCs we retrieved, we have moderate confidence that this actor has previously used other payloads such as AgentTesla, Formbook , and AsyncRAT in campaigns starting as early as April 2020,” researchers added.