Now, there is a new variant of the Trojan, that is primarily targeted at Microsoft Outlook and Chrome users in Latvia, Turkey, and Italy which campaign started in January, and is still ongoing. First spotted in April 2020, MassLogger credential stealing capabilities has expanded to include instant messenger apps.
According to the researchers at Cisco Talos, this new campaign is aimed at stealing information from browsers and messenger apps of users in Turkey, Latvia and Italy.
How Masslogger’s new variant steals credentials from Chrome and Outlook users?
The new variant uses compiled HTML file format to start the infection chain whereby it is able to run nearly undetected by all security systems in Windows. And the infection chain appears to focus more on business users, using email as the attack vector, which email contains a RAR attachment with a compiled HTML (.chm) attachment.
While the rest of the infection chain is split between JavaScript, PowerShell and .NET; the attachments seems to adhere to the same format, a RAR multi-volume filename extension (e.g., "70727_YK90054_Teknik_Cizimler.R09") in order to bypass attempts of blocking RAR attachments using default filename extension ".rar."
The filename extension changes to RAR multi-volume filename extensions, starting with ".r00" and WinRAR or other RAR-capable unarchivers will still be able to open the file without any problems. And as the targets are mainly business users living in Turkey, Latvia and Italy, the email language is that of the targeted recipient's top-level domain.
How to safeguard against Masslogger’s new variant
As the main attack vector remains the email, it is advised that users should desist from opening any suspicious email and its attachements. And if per chance they open the email, they should not download the email attachements for any reason.
Additionally, users are advised to configure their systems for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its deobfuscated format. And they should use advanced malware protection solutions such as that offered by Cisco which is a better alternative to the in-built Windows protection.
No comments