About the campaign
The new Masslogger variant has been designed to retrieve and exfiltrate user credentials from several sources, such as Microsoft Outlook, Google Chrome, and instant messengers.
In this campaign, the attackers have been actively targeting Windows systems and users in Italy, Latvia, and Turkey since at least mid-January.
The emails were typically using legitimate-looking subject lines related to business with malicious RAR file attachments, with lightly obfuscated JavaScript code.
The campaign has been observed disguising its malicious RAR files as Compiled HTML (CHM) files, which are used to start the infection chain. The CHM files are more likely used to evade or bypass content filters or blockers.
What’s so special?
The threat actors behind the recent Masslogger campaign have employed a multi-modular approach in their campaigns so far. All of their observed campaigns have started with a phishing email and carried them through to the final payload. It is notable that apart from the initial mail attachments, all stages of the attacks are fileless.
Related incidents
In August 2020, attackers had launched a malicious spam email campaign to distribute MassLogger with several dangerous functionalities.
In July 2020, a MassLogger campaign was using several different file types as malicious attachments as an initial infection vector.