Cisco Talos have found a new variant of old spyware which was attacked the Windows platform for years. It has come back in a new variant with more powers. The spyware can not go undetected in Windows. It targets users and steals their credentials from browsers and apps.
Hackers keep improving their malicious vendors to achieve their goals. The reemergence of a credential-stealing campaign affects Windows systems and steals information from Google Chrome browser Microsoft Outlook app, and instant messaging apps installed on the machine.
Masslogger is the NET-based spyware program that attempted to steal information from browsers and social media apps released in April last year. This new variant is found to be more powerful in terms of escaping detection and opens a revenue stream simultaneously for hackers. It uses compiled HTML file format to start the infection chain. It goes nearly undetected at all security levels in Windows. This file format is used for Windows Help files and contains active scripts. In the case of Masslogger’s new variant, there is JavaScript to trigger the malware.
Cisco Talos researchers said that “infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business.” The researchers say the CHM “is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage in the process is “obfuscated” to escape detection “using single signatures.” The second stage is essentially creating a PowerShell script that deciphers the code into a downloader, which downloads the main PowerShell loader to host malware files. “The Masslogger loaders seem to be hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg,” the researchers said in the report, for instance, “D9.jpg”.
Masslogger can also be configured as a keylogger that tracks keystrokes but has not this functionality. One of the examples of spyware is the “Domestic customer inquiry”. The email had an attachment compromising the user’s computer with the malware attack. The file was named “70727_YK90054_Teknik_Cizimler.R09” where the RAR file had a different extension than .rar. Researchers found this Masslogger variant not only exfiltrates data from SMTP, FTP, and HTTP locations, but it also steals data from Pidgin messenger client, Discord, NordVPN, Outlook, Thunderbird, Firefox, QQ Browser, and all Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, and Brave.
Researchers advised that users never open a suspicious email and should refrain from downloading or clicking on any of the email attachments. Use the advanced malware protection solutions which is an alternative to protect your devices and not just emails.