Masslogger Campaigns Exfiltrates Clients Credentials – E Hacking News
Assailants are continually reinventing approaches to monetize their tools. Cisco Talos as of late found an intriguing campaign affecting Windows systems and focusing on clients in Turkey, Latvia, and Italy, albeit similar campaigns by the same actor have likewise been focusing on clients in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October and November 2020. The threat actor utilizes a multi-modular approach that begins with the underlying phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. However, it can likewise be a shortcoming, as there are a lot of chances for defenders to break the kill chain.
Conveyed through phishing emails, the Masslogger trojan’s most recent variation is contained inside a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla’s security research arm. Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.”
Masslogger is not an entirely new creation of the malware industry: Talos highlighted research by infosec chap Fred HK. He ascribed it to a malware underground persona who goes by the handle of NYANxCAT. Costs for Masslogger were apparently $30 for three months or $50 for a lifetime license. Cisco’s analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.