MassLogger Malware Overview
This threat report provides an overview of the MassLogger malware, the tactics, techniques and procedures used and what you can do to protect your organization.
MassLogger is recognized as spyware with keylogging and credential stealing capabilities and contains actionable intelligence to protect against this risk.
The malware was first sighted in April 2020 and began to gain exposure from researchers in June. The threat actor NYANxCAT is widely recognized as the author and seller of the malware and has in the past written other malware such as AsyncRAT and LimeRAT. Due to its profitability, regular feature updates to the malware are expected by the author.
MassLogger Spyware Tactics, Techniques, and Procedures
MassLogger is a fully featured malware written in .NET, with a variety of modules. It is designed for easy use by less technical malicious actors. Some of its functions include FTP, email, keylogging, and a variety of evasion techniques to avoid analysis from sandboxes and honeypots. Another unique capability of the malware is USB spreading, similar to LimeUSB, which was also written by NYANxCAT. Code for this and other malware from the author is available in a public GitHub repository: https://github.com/NYAN-x-CAT
The goal of MassLogger malware is to gather and exfiltrate sensitive data from infected hosts. It will check the host for installations of specific software and attempt to find stored passwords. MassLogger gathers data about the host into a log file, much like its name implies, and then sends it to the malicious actor’s server.
Initial access is normally gained by the malware through phishing techniques. A malicious attachment is used to deliver the payload to the victim. If the attachment itself does not directly contain the malware, it is often a Microsoft Office document with a malicious VBA macro used to download it. Seqrite notes that the below file attachment types have all been seen in MassLogger phishing attempts:
What MassLogger Malware Means to You and What You Can Do
Possible MassLogger effects:
- May result in sensitive file exfiltration and data leakage.
- May result in compromised user credentials.
What you can do to protect your organization:
- Because MassLogger has only been observed infecting through phishing attempts, we recommend providing your users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
- As a general rule it is best practice to disable all Office macros by default and only have them enabled when it is necessary for a user’s daily job responsibilities. This will provide a measure of defense against files downloaded that contain malicious macros.
Indicators of Compromise
IOCs are provided in each of the linked sources, and in the AlienVault OTX pulses below:
Sources and Other Helpful Resources
- Initial Access: https://attack.mitre.org/tactics/TA0001/
- Defense Evasion: https://attack.mitre.org/tactics/TA0005/
- Discovery: https://attack.mitre.org/tactics/TA0007/
- Collection: https://attack.mitre.org/tactics/TA0009/
8 Steps to Take if You’ve Been Breached
With the prevalence, severity and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.