- WHY AVERTIUM?
-
-
Why Avertium?
Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
-
Considering Microsoft?
Avertium Named Microsoft Security Solutions PartnerAvertium’s managed services for Microsoft Security Solutions is delivered through the company’s premium service: Fusion MXDR. Fusion MXDR includes 24x7 monitoring and management of Defender for Endpoint and Sentinel, threat intelligence, attack surface
monitoring, and vulnerability management for Microsoft Security customers.
-
-
- SOLUTIONS
- COMPANY
- PARTNERS
-
-
Our Partners
Best-in-class technology from our partners... backed by service excellence from Avertium.
-
Partner Opportunity Registration
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
-
-
- NEWS & RESOURCES
- CONTACT
Overview of MassLogger v3
This report is about recent malware campaigns utilizing the MassLogger trojan (written in . NET). Previously we have covered features of MassLogger in TIR-20200821. However, recent research has revealed a new variant of the malware, dubbed MassLogger v3 by Avast. The primary goal of these campaigns is credential exfiltration, targeting popular applications such as Microsoft Outlook and Google Chrome.
TIR-20210228 Tactics, Techniques, and Procedures
MassLogger v3 largely maintains similar functionality as previous versions (password recovery, USB spreading, data exfiltration via FTP/SMTP/HTTP, anti-sandbox/VM/debugger detection, etc.). Though keylogging was the main feature, it is disabled in this variant. Other changes in version 3 include increased obfuscation and defense evasion techniques, leaving fewer traces of the malware on victim hosts. Analysis of the malware from Cisco Talos Intelligence Group notes the below applications are targeted for credential exfiltration in this campaign:
- Pidgin messenger client
- FileZilla FTP client
- Discord
- NordVPN
- Outlook
- FoxMail
- Thunderbird
- Firefox
- QQ Browser
- Chromium-based browsers (Chrome, Chromium, Edge, Opera, Brave)
Infection begins with a phishing email containing a compressed RAR file attachment. To attempt bypassing security controls that will strip .rar email attachments, the multivolume file extension is used (.r00 to .r99). Within the archive is a single compiled HTML file (.chm). This is one unique change in the infection chain of other MassLogger variants. The .chm file contains obfuscated JavaScript and presents itself as a seemingly harmless HTML Help file.
The JavaScript code is used to execute PowerShell as a downloader. PowerShell reaches out to a server hosting the next stage in the form of a .jpg file, the PowerShell loader. The loader is used to load a .NET DLL, create the “msbuild.exe” process, and inject the final payload into memory on the victim host. Once infected, users can expect MassLogger to gather credentials from any of the targeted applications and attempt exfiltration.
Business Unit Impact
- This will lead to unauthorized data exfiltration, including user credentials.
- May allow for malicious actors to successfully compromise user credentials and sensitive data.
Recommendations
- Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
- Block and monitor for activity involving the linked IOCs.
IOCs:
- https://otx.alienvault.com/pulse/6035392eab4d19d868aff18b
- https://otx.alienvault.com/pulse/602d3c9c7078054d4492c9a2
Sources
- https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html
- https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/
Supporting Documentation
- MITRE Mapping(s)
- Initial Access: https://attack.mitre.org/tactics/TA0001/
- Execution: https://attack.mitre.org/tactics/TA0002/
- Command and Scripting Interpreter: PowerShell: https://attack.mitre.org/techniques/T1059/001/
- Command and Scripting Interpreter: JavaScript/JScript
- Defense Evasion: https://attack.mitre.org/tactics/TA0005/
- Deobfuscate/Decode Files or information: https://attack.mitre.org/techniques/T1140/
- Virtualization/Sandbox Evasion: https://attack.mitre.org/techniques/T1497/
- Credential Access: https://attack.mitre.org/tactics/TA0006/
- Credentials from Password Stores: Credentials from Web Browsers: https://attack.mitre.org/techniques/T1555/003/
- Discovery: https://attack.mitre.org/tactics/TA0007/
- System Information Discovery: https://attack.mitre.org/techniques/T1082/
- Software Discovery: https://attack.mitre.org/techniques/T1518/
- Collection: https://attack.mitre.org/tactics/TA0009/
- Clipboard Data: https://attack.mitre.org/techniques/T1115/
- Input Capture: https://attack.mitre.org/techniques/T1056/
- Exfiltration: https://attack.mitre.org/tactics/TA0010/
- Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol: https://attack.mitre.org/techniques/T1048/003/
- https://www.zdnet.com/article/masslogger-trojan-reinvented-to-steal-outlook-chrome-credentials/
- https://fr3d.hk/blog/masslogger-frankenstein-s-creation
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.