Attackers Reinvent Masslogger Trojan to Target Popular BrandsCISOMAGon February 19, 2021 at 4:02 pm CISO MAG | Cyber Security Magazine

News, Threats, compiled HTML file, Cybercriminals, cybersecurity, Google Chrome, malware, Masslogger infection chain, Masslogger Trojan, Microsoft Outlook, trojan, updated Masslogger TrojanCISO MAG | Cyber Security MagazineRead MoreA new version of the Masslogger Trojan has been targeting Windows users in a new phishing campaign. Cybersecurity experts from Cisco Talos stated that they’ve found an improved version of the Masslogger Trojan, designed to pilfer login credentials from popular applications like Microsoft Outlook, Google Chrome, and other messenger accounts. The new Masslogger phishing campaign, which
The post Attackers Reinvent Masslogger Trojan to Target Popular Brands appeared first on CISO MAG | Cyber Security Magazine.

A new version of the Masslogger Trojan has been targeting Windows users in a new phishing campaign. Cybersecurity experts from Cisco Talos stated that they’ve found an improved version of the Masslogger Trojan, designed to pilfer login credentials from popular applications like Microsoft Outlook, Google Chrome, and other messenger accounts. The new Masslogger phishing campaign, which was uncovered in mid-January 2021, targeted users across Italy, Latvia, and Turkey.

What is Masslogger?

Masslogger is a spyware written in .NET to steal user credentials from browsers, popular messaging applications, and email clients.

Improved Masslogger Trojan

First identified in April 2020, the malware authors are selling the updated versions of the Trojan to other malicious actors on underground dark web forums.

Researchers found that Masslogger operators can evade detection by disguising their malicious RAR files as Compiled HTML files. The discovery of the new variant of the Trojan indicates how malware developers are constantly updating their hacking methods.

“Although operations of the Masslogger Trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain. This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware’s processes,” researchers said.

How Masslogger Trojan Attacks

The infection starts with an email with a malicious RAR attachment and a legitimate-looking subject line claiming to be from a business. The filename creates files with the RAR extensions named .rar, .r00, and .chm to bypass any programs that would block the email attachment based on its file extension. The payloads are hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg.

The Masslogger Trojan payload is designed to retrieve and exfiltrate user credentials from a variety of sources. According to Cisco Talos, the new version of Masslogger has the capabilities to target and retrieve credentials from the various other applications like:

  • Pidgin messenger client
  • FileZilla FTP client
  • Discord
  • NordVPN
  • Outlook
  • FoxMail
  • Thunderbird
  • Firefox
  • QQ Browser
  • Chromium-based browsers (Chrome, Chromium, Edge, Opera, Brave)

“While most of the public attention seems to be focused on ransomware attacks, big game hunting, and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users’ credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks. Based on the IOCs we retrieved, we have moderate confidence that this actor has previously used other payloads such as AgentTesla, Formbook , and AsyncRAT in campaigns starting as early as April 2020,” researchers added.

The post Attackers Reinvent Masslogger Trojan to Target Popular Brands appeared first on CISO MAG | Cyber Security Magazine.

A new version of the Masslogger Trojan has been targeting Windows users in a new phishing campaign. Cybersecurity experts from Cisco Talos stated that they’ve found an improved version of the Masslogger Trojan, designed to pilfer login credentials from popular applications like Microsoft Outlook, Google Chrome, and other messenger accounts. The new Masslogger phishing campaign, which was uncovered in mid-January 2021, targeted users across Italy, Latvia, and Turkey.

What is Masslogger?

Masslogger is a spyware written in .NET to steal user credentials from browsers, popular messaging applications, and email clients.

Improved Masslogger Trojan

First identified in April 2020, the malware authors are selling the updated versions of the Trojan to other malicious actors on underground dark web forums.

Researchers found that Masslogger operators can evade detection by disguising their malicious RAR files as Compiled HTML files. The discovery of the new variant of the Trojan indicates how malware developers are constantly updating their hacking methods.

“Although operations of the Masslogger Trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain. This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware’s processes,” researchers said.

How Masslogger Trojan Attacks

The infection starts with an email with a malicious RAR attachment and a legitimate-looking subject line claiming to be from a business. The filename creates files with the RAR extensions named .rar, .r00, and .chm to bypass any programs that would block the email attachment based on its file extension. The payloads are hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg.

The Masslogger Trojan payload is designed to retrieve and exfiltrate user credentials from a variety of sources. According to Cisco Talos, the new version of Masslogger has the capabilities to target and retrieve credentials from the various other applications like:

  • Pidgin messenger client
  • FileZilla FTP client
  • Discord
  • NordVPN
  • Outlook
  • FoxMail
  • Thunderbird
  • Firefox
  • QQ Browser
  • Chromium-based browsers (Chrome, Chromium, Edge, Opera, Brave)

“While most of the public attention seems to be focused on ransomware attacks, big game hunting, and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users’ credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks. Based on the IOCs we retrieved, we have moderate confidence that this actor has previously used other payloads such as AgentTesla, Formbook , and AsyncRAT in campaigns starting as early as April 2020,” researchers added.

The post Attackers Reinvent Masslogger Trojan to Target Popular Brands appeared first on CISO MAG | Cyber Security Magazine.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips