Masslogger Swipes Microsoft Outlook, Google Chrome Credentials

beaver in the wild

A new version of the Masslogger trojan has been targeting Windows users – now using a compiled HTML (CHM) file format to start the infection chain.

Cybercriminals are targeting Windows users with a new variant of the Masslogger trojan, which is spyware designed to swipe victims’ credentials from Microsoft Outlook, Google Chrome and various instant-messenger accounts.

Researchers uncovered the campaign targeting users in Italy, Latvia and Turkey starting in mid-January. When the Masslogger variant launched its infection chain, it disguised its malicious RAR files as Compiled HTML (CHM) files. This is a new move for Masslogger, and helps the malware sidestep potential defensive programs, which would otherwise block the email attachment based on its RAR file extension, said researchers on Wednesday.

“The use of compiled HTML (usually used for Windows help files) can be advantageous for the attacker since the initial infection vector is email,” Vanja Svajcer, outreach researcher with Cisco Talos, told Threatpost. “Many organizations will not consider CHM files to be executables so it is more likely they will evade content filters filtering incoming email messages based on the attachment name or type.”

Masslogger is a spyware program, which is written in .NET and steals browser, email and instant-messaging credentials. The trojan was released in April and has since been sold on underground forums.

“Masslogger is a commodity malware that has been in development and circulation for almost a year now,” Svajcer told Threatpost. “It is sold on underground forums for relatively modest amount of money and it can be used by any malicious actor. We wanted to emphasize that these campaigns with these particular spreading techniques can likely be linked to a single actor, based on the exfiltration server domain used in all campaign for exfiltrating credentials.”

Masslogger’s Infection Chain: Spear-Phishing Emails

masslogger malware campaign

An example of a spear-phishing email targeting victims in Turkey. Credit: Cisco Talos

Researchers said the recent attack kicked off with email messages that contained “legitimate-looking” subject lines related to business. One email, for example, was entitled “Domestic customer inquiry” and told the recipient, “At the request of our customer, please send your attached best quotes.”

These emails contained RAR attachments – however, of note, while the typical filename extensions for RAR files is .rar, the attackers hid them in this case with the .chm file extension. The files were named with the pattern “r00,” with the numbers growing per file in each email.

The Compiled HTML (CHM) file format is used for help documentation — the files are compiled and saved in a compressed HTML format. They may include text, images and hyperlinks. CHM files are used by Windows programs as an online help solution.

This attachment filename extension is sometimes chosen to bypass “simple blockers,” which attempt to block RAR attachments using its default filename extension “.rar,”  said Svajcer. WinRAR and other RAR-capable unarchivers will still open CHM files without problems, he noted.

The Masslogger infection chain. Credit: Cisco Talos

In this case, the attached files contain an embedded HTML file with “light-obfuscated” JavaScript code, which, once opened, starts the active infection process.

After the active infection process starts, a PowerShell script executes, which eventually de-obfuscates into a downloader . This then downloads and loads the main PowerShell loader.

“The main payload is a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from a variety of sources, targeting home and business users,” said Svajcer. “Masslogger can be configured as a keylogger, but in this case, the actor has disabled this functionality.”

Microsoft Outlook, Google Chrome Credentials Under Attack

The Masslogger payload contains the functionality to target and steal credentials from the following applications: Pidgin (a free and open-source multi-platform instant messenger client), the FileZilla File Transfer Protocol (FTP) client, the Discord group-chatting platform, NordVPN, Outlook, FoxMail, Firefox, Thunderbird, QQ Browser and Chromium-based browsers (Chrome, Chromium, Edge, Opera and Brave).

“Once the credentials from targeted applications are retrieved, they are uploaded to the exfiltration server with a filename containing the username, two-letter country ID, unique machine ID and the timestamp for when the file was created,” said Svajcer.

Masslogger Malware Continues to Evolve

masslogger malware campaign

Locations targeted by Masslogger. Credit: Cisco Talos

Researchers believe that the actor behind the campaign is tied to other attacks, which date back to at least September. These campaigns have targeted several European countries and shift their focus monthly. For instance, researchers detected email messages targeting Bulgaria, Estonia, Hungary, Italy, Latvia, Lithuania, Romania, Spain and Turkey, as well as messages written in English.

Based on the indicators of compromise (IoCs) that researchers retrieved, they said that they have “moderate confidence” that this attacker has previously used other payloads such as the AgentTesla trojan and the Formbook dropper in campaigns starting as early as April.

“The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload,” said Svajcer. “The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the kill chain.”

Is your small- to medium-sized business an easy mark for attackers?

Threatpost WEBINAR:  Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles