A new version of the Masslogger trojan has been targeting Windows users – now using a compiled HTML (CHM) file to start the infection chain.
Cyber-criminals are targeting Windows users with a new variant of the Masslogger trojan, which is spyware designed to swipe victims’ credentials from Microsoft Outlook, Google Chrome & various instant-messenger accounts.
Compiled HTML Files
Researchers uncovered the campaign targeting users in Italy, Latvia & Turkey starting in mid-Jan. When the Masslogger variant launched its infection chain, it disguised its malicious RAR files as Compiled HTML (CHM) files.
This is a new move for Masslogger, & helps the malware sidestep potential defensive programs, which would otherwise block the email attachment based on its RAR file extension, said researchers on Wed.
“The use of compiled HTML (usually used for Windows help files) can be advantageous for the attacker since the initial infection vector is email,” Vanja Svajcer, outreach researcher with Cisco Talos, explained. “Many organisations will not consider CHM files to be executables so it is more likely they will evade content filters filtering incoming email messages based on the attachment name or type.”
Masslogger is a spyware program, which is written in .NET & steals browser, email & instant-messaging credentials. The trojan was released in April & has since been sold on underground forums.
“Masslogger is a commodity malware that has been in development & circulation for almost a year now,” Svajcer outlined. “It is sold on underground forums for relatively modest amount of money & it can be used by any malicious actor.
We wanted to emphasise that these campaigns with these particular spreading techniques can likely be linked to a single actor, based on the exfiltration server domain used in all campaign for exfiltrating credentials.”
Researchers stated that the recent attack started with email messages that contained “legitimate-looking” subject lines related to business. One email, for example, was entitled “Domestic customer inquiry” & told the recipient, “At the request of our customer, please send your attached best quotes.”
These emails contained RAR attachments – however, while the typical filename extensions for RAR files is .rar, the attackers hid them in this case with the .chm file extension. The files were named with the pattern “r00,” with the numbers growing per file in each email.
Bypass ‘Simple Blockers’
The Compiled HTML (CHM) file format is used for help documentation — the files are compiled & saved in a compressed HTML format. They may include text, images & hyperlinks. CHM files are used by Windows programs as an online help solution.
This attachment filename extension is sometimes chosen to bypass “simple blockers,” which attempt to block RAR attachments using its default filename extension “.rar,” said Svajcer. WinRAR and other RAR-capable un-archivers will still open CHM files without problems, he noted.
After the active infection process begins, a PowerShell script executes, which eventually turns into a downloader . This then downloads & loads the main PowerShell loader.
“The main payload is a variant of the Masslogger trojan designed to retrieve & exfiltrate user credentials from a variety of sources, targeting home & business users,” commented Svajcer. “Masslogger can be configured as a keylogger, but in this case, the actor has disabled this functionality.”
The Masslogger payload contains the functionality to target & steal credentials from the following applications: Pidgin (a free & open-source multi-platform instant messenger client), the FileZilla File Transfer Protocol (FTP) client, the Discord group-chatting platform, NordVPN, Outlook, FoxMail, Firefox, Thunderbird, QQ Browser & Chromium-based browsers (Chrome, Chromium, Edge, Opera & Brave).
“Once the credentials from targeted applications are retrieved, they are uploaded to the exfiltration server with a filename containing the username, 2-letter country ID, unique machine ID & the timestamp for when the file was created,” explained Svajcer.
Masslogger Malware Evolves
Researchers believe that the actor behind the campaign is tied to other attacks, which date back to at least Sept. These campaigns have targeted several European countries & shift their focus monthly.
For instance, researchers detected email messages targeting Bulgaria, Estonia, Hungary, Italy, Latvia, Lithuania, Romania, Spain & Turkey, as well as messages written in English.
Indicators of Compromise
Based on the indicators of compromise (IoCs) that researchers retrieved, they said that they have “moderate confidence” that this attacker has previously used other nasty payloads such as the AgentTesla trojan & the Formbook dropper in campaigns starting as early as April.
“The actor employs a multi-modular approach that starts with the initial phishing email & carries through to the final payload,” outlined Svajcer. “The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the kill chain.”