Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos • The Register


Cisco Talos has uncovered a credential-stealing trojan that lifts your login details from the Chrome browser, Microsoft’s Outlook and instant messengers.

Delivered through phishing emails, the Masslogger trojan’s latest variant is contained within a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla’s security research arm.

“CHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage of the infection is obfuscated to avoid detection using simple signatures,” it said.

Opening the “help” file deploys the malware onto the target system.

Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.”

Apps vulnerable to these dastardly cred-stealing doings include Discord, Microsoft Outlook, Mozilla Thunderbird, Firefox and Chromium-based browsers. The malware also tries to exclude itself from Windows Defender scans.

The second stage of the infection is a PowerShell script, a common technique, that loads the main Masslogger loader from compromised legitimate hosts as a .jpg file. From there the loader is deployed and executed.

Talos said the malicious folk behind Masslogger were mostly targeting southern and eastern European countries: “Based on the combination of discovered emails and file names, we believe it was targeting organizations in Turkey, Latvia and Italy. We have observed similar campaigns happening in several instances before, starting no later than September 2020. In previous campaigns, the actor was targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain.”

Masslogger is not an entirely new creation of the malware industry: Talos pointed to previous research by infosec chap Fred HK. He attributed it to a malware underground persona who goes by the handle of NYANxCAT. Prices for Masslogger were apparently $30 for three months or $50 for a lifetime licence.

Cisco’s analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.

In-memory malware erupted in the early-to-mid 2000s. Its USP for malware criminals is that the malware is wiped from a target system on reboot. Recently the technique has been deployed against Linux and Apple operating systems. ®

You May Also Like…