New Variant of MassLogger Trojan Malware targets Microsoft Outlook & Google Chrome

Overview of MassLogger v3

This report is about recent malware campaigns utilizing the MassLogger trojan (written in . NET). Previously we have covered features of MassLogger in TIR-20200821. However, recent research has revealed a new variant of the malware, dubbed MassLogger v3 by Avast. The primary goal of these campaigns is credential exfiltration, targeting popular applications such as Microsoft Outlook and Google Chrome.

TIR-20210228 Tactics, Techniques, and Procedures   

MassLogger v3 largely maintains similar functionality as previous versions (password recovery, USB spreading, data exfiltration via FTP/SMTP/HTTP, anti-sandbox/VM/debugger detection, etc.). Though keylogging was the main feature, it is disabled in this variant. Other changes in version 3 include increased obfuscation and defense evasion techniques, leaving fewer traces of the malware on victim hosts. Analysis of the malware from Cisco Talos Intelligence Group notes the below applications are targeted for credential exfiltration in this campaign:

• Pidgin messenger client
• FileZilla FTP client
• Discord
• NordVPN
• Outlook
• FoxMail
• Thunderbird
• Firefox
• QQ Browser
• Chromium-based browsers (Chrome, Chromium, Edge, Opera, Brave)

Infection begins with a phishing email containing a compressed RAR file attachment. To attempt bypassing security controls that will strip .rar email attachments, the multivolume file extension is used (.r00 to .r99). Within the archive is a single compiled HTML file (.chm). This is one unique change in the infection chain of other MassLogger variants. The .chm file contains obfuscated JavaScript and presents itself as a seemingly harmless HTML Help file.

The JavaScript code is used to execute PowerShell as a downloader. PowerShell reaches out to a server hosting the next stage in the form of a .jpg file, the PowerShell loader. The loader is used to load a .NET DLL, create the “msbuild.exe” process, and inject the final payload into memory on the victim host. Once infected, users can expect MassLogger to gather credentials from any of the targeted applications and attempt exfiltration.

Business Unit Impact

• This will lead to unauthorized data exfiltration, including user credentials.
• May allow for malicious actors to successfully compromise user credentials and sensitive data.

Recommendations

• Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
• Block and monitor for activity involving the linked IOCs.

IOCs:

• https://otx.alienvault.com/pulse/6035392eab4d19d868aff18b
• https://otx.alienvault.com/pulse/602d3c9c7078054d4492c9a2

Sources

• https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html
• https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/

Supporting Documentation

• MITRE Mapping(s)
  • Initial Access: https://attack.mitre.org/tactics/TA0001/
    • Phishing: https://attack.mitre.org/techniques/T1566/
  • Execution: https://attack.mitre.org/tactics/TA0002/
    • Command and Scripting Interpreter: PowerShell: https://attack.mitre.org/techniques/T1059/001/
    • Command and Scripting Interpreter: JavaScript/JScript
    • https://attack.mitre.org/techniques/T1059/007/
  • Defense Evasion: https://attack.mitre.org/tactics/TA0005/
    • Deobfuscate/Decode Files or information: https://attack.mitre.org/techniques/T1140/
    • Virtualization/Sandbox Evasion: https://attack.mitre.org/techniques/T1497/
  • Credential Access: https://attack.mitre.org/tactics/TA0006/ 
    • Credentials from Password Stores: Credentials from Web Browsers: https://attack.mitre.org/techniques/T1555/003/
  • Discovery: https://attack.mitre.org/tactics/TA0007/
    • System Information Discovery: https://attack.mitre.org/techniques/T1082/
    • Software Discovery: https://attack.mitre.org/techniques/T1518/
  • Collection: https://attack.mitre.org/tactics/TA0009/
    • Clipboard Data: https://attack.mitre.org/techniques/T1115/
    • Input Capture: https://attack.mitre.org/techniques/T1056/
  • Exfiltration: https://attack.mitre.org/tactics/TA0010/
    • Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol: https://attack.mitre.org/techniques/T1048/003/
• https://www.zdnet.com/article/masslogger-trojan-reinvented-to-steal-outlook-chrome-credentials/
• https://fr3d.hk/blog/masslogger-frankenstein-s-creation

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.