- Table of contents
Masslogger Stealer
Introduction
Cyberint Research observed several unsolicited malicious email (malspam) campaigns in August 2021 through which Masslogger was delivered. First noticed around April 2020, Masslogger is a popular .NET credential stealer used to gather credentials from victims for various applications, and is readily available to purchase on cybercriminal forums for around $100 (US). Although stealer threats are often indiscriminate and target individuals rather than businesses, recently observed campaigns appear to specifically target various organizations, potentially as a precursor to another attack through the collection of credentials for later abuse.
Notably, analysis of this specific campaign identifies a pattern of activity targeting the manufacturing and banking industries, especially those located in Europe, although the end objective of the threat actor cannot be fully ascertained at this time.
Delivery
As is common with threats of this nature, the initial delivery method is via email lures masquerading as legitimate business communications that encourage the recipient to open the attachment. Based on an analysis of this recent campaign, observed lur themes (Figure 1) include content relating to urgent or pressing matters such as new order
, payment
, purchase order
and quotation
, as well as the apparent reuse of prior legitimate email threads that include contact details for, and mimic, an unwitting third party.
Figure 1: Redline panel menu
Given the nature of the email lure, targeted recipients will likely include those working within Business Administration, Finance and Sales teams. Furthermore, the compromise of one organization could lead to legitimate email accounts being abused to send convincing lures to other organizations, such as their customers, partners and suppliers.
Initial Infection
Having lured the victim into opening the malicious email attachment, one recent campaign included an initial payload that would appeal to those working in the financial industry, %APPDATA%\Temp\<BANK_NAME> Swift Mesaji.exe
, given the presence of the target organization name and Swift
which likely relates to the Society for Worldwide Interbank Financial Telecommunications (SWIFT).
This initial payload subsequently XOR-decrypts the second stage assembly, which loads and executes the final Masslogger payload. Although it is highly unlikely that an executable will manage to pass through email protection systems as an attachment, or even be displayed by a modern email client, other campaigns have been observed as improving the delivery method through the use of compressed files.
Masslogger Payload
While focusing on the theft of credentials from common applications such as browsers, email clients, file sharing services, messaging applications and VPNs, Masslogger stealer’s approach is somewhat like most other stealer threats.
Data Exfiltration
Upon the completion of the data theft stage, Masslogger creates a Log.txt
file stored in %APPDATA%
in a 10 random character working directory containing the stolen data, for example:
%APPDATA%\A1TE59L0O4\Log.txt
Typically, this log will identify the Masslogger version, including the details of the malicious process, along with details of the victim, their machine and any stolen credentials (Figure 2).
Figure 2: Masslogger Log.txt file containing all stolen data it found
Calling Home
Masslogger activity within a victim’s machine is fairly simple and quick. The following cases show no persistency or any other updates requested from the threat actor to the samples over periods of time. Data exfiltration is done via the SMTP protocol, sending an email containing base64 string, to a specific domain (Figure 3).
Figure 3: Email Masslogger generated
Seemingly using a compromised mailbox from a third-party organization to receive exfiltrated data, Masslogger initially authenticates using base64 encoded strings that contain the username (email address) and password.
The exfiltrated data is also base64 encoded and contains all data presented in the Log.txt file as shown in Figure 2.
Recommendations
- Employee security awareness training remains an important step in helping them identify and be suspicious of unsolicited emails and phishing campaigns, especially messages with embedded links or file attachments.
- Multi-factor authentication should be implemented wherever possible to limit the effectiveness of stolen credentials.
- Employees should be reminded of the risks associated with credential reuse and weak passwords supported by password policies to encourage best practices.
- Ensure that email security controls are applied to limit the delivery of potentially malicious attachments or links to end-users, as well as implementing protocols and security controls such as DKIM, DMARC and SPF.
- Consider applying deep content inspection to ensure that any downloaded content file type matches the actual file content in addition to blocking dangerous file types, such as executables, for standard users.
Indicators of Compromise
File Samples (SHA256)
The following hashes are provided for reference. Given the ongoing nature of these campaigns, it is likely that the threat actor will utilize methods to avoid detection such as packing and crypting, resulting in differing cryptographic hashes.
- Masslogger Delivery Executable
6a7a3a0a6690559ef59408a9013d10b8b80c8abcbfc7bc14120820649a25919f
d430d417a297fd81201042759619500ce28914ee824c54112819a9d692db1beb
456f0fa423d312c6eaa1114f382a0e187e229f21e6a9bbd0ea45de0b2c6db2bd
7757ad9a0393b300198d198c792c2bc44c08cca9dfd01b1ac26d3d123d324930
- Masslogger Payload
3d2e64397cf43b5c4e460fd73558f55aceafc1f00cf84b60e3f1cac987a8006f
File System
The creation of unexpected directories and files within %APPDATA%
could be indicative of compromise, especially the creation of a ten random character directory and Log.txt file. As such, the following regular expression matches the directory structure and corresponding archive filename:
%APPDATA%\\(\w){10}\\Log.txt
Notably, some Masslogger versions contain strings within the Log.txt file that provides even better clues for a file related to the Masslogger stealer:
MassLogger v
MassLogger Process:
MassLogger Melt: (true|false)
MassLogger Exit after delivery: (true|false)
Drop Zone IPS
162[.]255[.]119[.]21
95[.]173[.]177[.]131