Security

Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos

Masslogger evolution rears its ugly head, $30 gets you three month license to cause carnage


Cisco Talos has uncovered a credential-stealing trojan that lifts your login details from the Chrome browser, Microsoft's Outlook and instant messengers.

Delivered through phishing emails, the Masslogger trojan’s latest variant is contained within a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla’s security research arm.

“CHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage of the infection is obfuscated to avoid detection using simple signatures,” it said.

Opening the “help” file deploys the malware onto the target system.

Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.”

Apps vulnerable to these dastardly cred-stealing doings include Discord, Microsoft Outlook, Mozilla Thunderbird, Firefox and Chromium-based browsers. The malware also tries to exclude itself from Windows Defender scans.

The second stage of the infection is a PowerShell script, a common technique, that loads the main Masslogger loader from compromised legitimate hosts as a .jpg file. From there the loader is deployed and executed.

Talos said the malicious folk behind Masslogger were mostly targeting southern and eastern European countries: “Based on the combination of discovered emails and file names, we believe it was targeting organizations in Turkey, Latvia and Italy. We have observed similar campaigns happening in several instances before, starting no later than September 2020. In previous campaigns, the actor was targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain.”

Masslogger is not an entirely new creation of the malware industry: Talos pointed to previous research by infosec chap Fred HK. He attributed it to a malware underground persona who goes by the handle of NYANxCAT. Prices for Masslogger were apparently $30 for three months or $50 for a lifetime licence.

Cisco’s analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.

In-memory malware erupted in the early-to-mid 2000s. Its USP for malware criminals is that the malware is wiped from a target system on reboot. Recently the technique has been deployed against Linux and Apple operating systems. ®

Send us news
8 Comments

You can listen right here to the whir of a robot helicopter flying on an alien world

NASA records, shares sound of Ingenuity drone on Mars, like we're in some kind of sci-fi flick

Video One of the microphones on Perseverance, NASA’s latest and greatest Mars rover, has recorded the sounds of its autonomous helicopter Ingenuity flying on the Red Planet, providing scientists with the first ever audio samples of an aircraft operating on another planet.

You can hear the recording in the video below. Make sure to listen out for a low buzzing sound, which comes from its rotors spinning at 2,537 rpm, as the drone flits in and out of view.

Continue reading

Tesla Autopilot is a lot dumber than CEO Musk claims, says Cali DMV after speaking to the software's boss

'Elon's tweet does not match engineering reality' states poorly redacted report

Tesla CEO Elon Musk's public statements about the state of his automaker's Autopilot assistive driving technology overestimate the system's capabilities, according to documents released by the California Department of Motor Vehicles (DMV).

Legal non-profit PlainSite obtained the DMV documents via the California Public Records Act and they include a summary, written by Miguel Acosta, chief of the DMV's Autonomous Vehicles Branch, of a March 9, 2021 meeting between DMV officials and Tesla personnel.

Acosta wrote that "DMV asked CJ [CJ Moore, director of Autopilot software at Tesla] to address, from an engineering perspective, Elon’s messaging about L5 capability by the end of the year."

Continue reading

Facebook: Nice iOS app of ours you have there, would be a shame if you had to pay for it

Antisocial giant insists 'Help keep FB free of charge' messaging is merely educational

The number of Facebook and Instagram users on iOS agreeing to be tracked by the social networking behemoth for targeted ads has fallen drastically in the week since Apple's iOS 14.5 debuted – and Zuck & Co have hit back.

The App Tracking Transparency framework in iOS 14.5 requires companies to ask permission to observe the activities of iOS app users – that is to say, to link application usage and data with user or device information collected from other sources for targeted advertising or analytics.

This opt-in regime looks to be an extinction event for the current incarnation of targeted advertising, on iOS at least. According to analytics biz Flurry, only about 12 per cent of iOS users worldwide and only four per cent in the US have decided they want to be tracked.

Continue reading

Xpand your horizons: MariaDB launches distributed query engine into proprietary DBaaS

But beware lock-in-as-a-service, analyst warns

MariaDB has added proprietary bells and whistles, in the form of distributed SQL, for its DBaaS and supposedly developer-friendly front end.

The biz supporting the open-source MySQL-derived database introduced its DBaaS SkySQL last year and has now announced the general availability of its distributed SQL as one of the engines in MariaDB's SkySQL system, said CMO Franz Aman.

"What's cool about distributed SQL is that you get all the scale of NoSQL, but you get it with all the benefits of relational," he said. "So, you have strong consistency, you have full SQL vocabulary, but at a scale that is ready for the internet for internet-scale."

Continue reading

Russian cyber-spies changed tactics after the UK and US outed their techniques – so here's a list of those changes

Plus: NCSC warns of how hostile powers may exploit smart city infrastructure

Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets' networks as a legitimate pentesting exercise.

Now, the UK's National Cyber Security Centre (NCSC) and the US warn, the SVR is busy exploiting a dozen critical-rated vulns (including RCEs) in equipment ranging from Cisco routers through to VMware virtualization kit – and the well-known Pulse Secure VPN flaw, among others.

"In one example identified by the NCSC, the actor had searched for authentication credentials in mailboxes, including passwords and PKI keys," warned the GCHQ offshoot today.

Continue reading

GitLab's 10-day certification freebie offer lasted only two because, surprise surprise, people really like freebies

Biz expected 4,000 signups, got 60,000, system couldn't cope

GitLab says a surge in demand and a technical shortcoming resulted in the DevOps outfit yanking a free certification offer barely two days after turning on the tap.

In a postmortem write-up this week, GitLab manager Christine Yoshida said the infrastructure of its glossy "learning experience ... eventually hit a system limit" as excited users piled on, and the promotion period was ended early.

A discount code was made available in April to people who wanted to get GitLab-certified. The 100 per cent discount was planned to last for ten days, and the GitLab gang figured 4,000 users would sign up.

Continue reading

British bank TSB says it will fix days-long transaction troubles tonight

Totally Sucks, Buddy: Debit payments held up since April, online and app still wobbly, say readers

TSB admitted today it still hadn't fixed a transaction processing issue that has for days held up customers' payments, with users continuing to have issues at the time of publication.

We're told the transaction hold-up, which the Edinburgh-based bank said was linked to debit accounts, would be resolved "overnight." It did claim to have fixed a "temperamental" technical fault preventing some customers from accessing their online accounts, however.

Reg readers who double up as customers of TSB – once known as the comedy bank because of the frequency at which its web-based services fell over – maintained they were still having troubles logging onto the app or website, with some having experienced issues for days.

Continue reading

Privacy activist Max Schrems on Microsoft's EU data move: It won't keep the NSA away

Software giant vows data processing of EU cloud services to stay in EU, which means that currently...

Microsoft has announced plans to ensure data processing of EU cloud services within the borders of the political bloc in a move that expert observers claim reveals problems with the firm's existing setup.

Those problems extend to UK public sector organisations seeking to stick within government guidance as well as a longstanding issue where personal data held in the EU can potentially be accessed via US security laws.

In a blog, Brad Smith, Microsoft’s president and chief legal officer, said the software and cloud services giant would, by the end 2022, enable EU customers of Azure, Microsoft 365, and Dynamics 365 to have all their data processed physically within the EU.

Continue reading

We were 'blindsided' by Epic's cheek, claims Apple exec on 4th day of antitrust wrangling

I thought we were friends

An Apple exec has spoken of his shock after Fortnite creator Epic Games installed a hotfix that allowed it to deploy its own payment methods, thus skirting the 30 per cent App Store tax.

Testifying on the fourth day of the bench trial, Apple's vice president of App Store, Matt Fischer, said he had been "blindsided" by the deployment of the workaround, given the amicable relationship previously enjoyed by both companies.

Fischer said (audio here) that Apple's marketing teams had previously promoted in-game events taking place within Fortnite involving DJ Marshmello and rapper Travis Scott. He also claimed that Cupertino had expressed a willingness to reconsider its prohibition on the in-game gifting of virtual items.

Continue reading

'A massive middle finger': Open-source audio fans up in arms after Audacity opts to add telemetry capture

Move comes days after firm acquired by Muse Group

Open source audio software outfit Audacity, now under new management, is adding some "basic telemetry", much to the alarm of many of its community.

The request turned up in GitHub this week, aimed at providing some telemetry, and the author of the request, Dmitry Vedenko, explained:

Continue reading

Broadband plumber Openreach yanks legacy copper phone lines in Suffolk town of Mildenhall en route to getting the UK on VoIP

Just four years to go before planned switch-off

The tiny Suffolk town of Mildenhall is the second place where Openreach has stopped selling copper products as the company develops its strategy for withdrawing legacy telephone lines.

The "stop-sell" order came into effect on 4 May, and also extends to copper-based phone connections. It follows a similar stop-sell edict in Salisbury, which last year became the first UK city to receive full-fibre coverage.

While this decision hasn't had an immediate impact on those hanging onto their slower copper lines, it has meant those hoping to switch providers or upgrade their connection will be pushed to a digital-only service.

Continue reading