Cybercriminals use nifty tactics to sidestep defensive programs to stay under the radar. One such move has been made by the Masslogger trojan recently. Cisco Talos has discovered an attack campaign utilizing a new Masslogger variant.


About the campaign 

The new Masslogger variant has been designed to retrieve and exfiltrate user credentials from several sources, such as Microsoft Outlook, Google Chrome, and instant messengers.
  • In this campaign, the attackers have been actively targeting Windows systems and users in Italy, Latvia, and Turkey since at least mid-January.
  • The emails were typically using legitimate-looking subject lines related to business with malicious RAR file attachments, with lightly obfuscated JavaScript code.
  • The campaign has been observed disguising its malicious RAR files as Compiled HTML (CHM) files, which are used to start the infection chain. The CHM files are more likely used to evade or bypass content filters or blockers.

What’s so special?

The threat actors behind the recent Masslogger campaign have employed a multi-modular approach in their campaigns so far. All of their observed campaigns have started with a phishing email and carried them through to the final payload. It is notable that apart from the initial mail attachments, all stages of the attacks are fileless.

Related incidents

  • In August 2020, attackers had launched a malicious spam email campaign to distribute MassLogger with several dangerous functionalities.
  • In July 2020, a MassLogger campaign was using several different file types as malicious attachments as an initial infection vector.

Earlier campaigns by the same threat actors

  • Some earlier campaigns by the same threat actors were observed targeting European countries such as Bulgaria, Estonia, Hungary, Italy, Latvia, Lithuania, Romania, Spain, and Turkey in September, October, and November of 2020.
  • The researchers have moderate confidence that connects this threat actor to campaigns using AgentTesla malware with similar goals in April 2020.

Conclusion

Adoption of fileless malware-related technology and multi-modular approach indicates that this threat actor is making continuous investments in enhancing its toolset, and it could be planning to penetrate targets of higher value in the near future. Therefore it is important for organizations to regularly make investments into their security infrastructure to cope up with such evolving threats.

Cyware Publisher

Publisher

Cyware