DavidSep 1, 2021
Cyberint Research observed several unsolicited malicious email (malspam) campaigns in August 2021 through which Masslogger was delivered. First noticed around April 2020, Masslogger is a popular .NET credential stealer used to gather credentials from victims for various applications, and is readily available to purchase on cybercriminal forums for around $100 (US). Although stealer threats are often indiscriminate and target individuals rather than businesses, recently observed campaigns appear to specifically target various organizations, potentially as a precursor to another attack through the collection of credentials for later abuse.
Notably, analysis of this specific campaign identifies a pattern of activity targeting the manufacturing and banking industries, especially those located in Europe, although the end objective of the threat actor cannot be fully ascertained at this time.
As is common with threats of this nature, the initial delivery method is via email lures masquerading as legitimate business communications that encourage the recipient to open the attachment. Based on an analysis of this recent campaign, observed lur themes (Figure 1) include content relating to urgent or pressing matters such as
purchase order and
quotation, as well as the apparent reuse of prior legitimate email threads that include contact details for, and mimic, an unwitting third party.
Figure 1: Redline panel menu
Given the nature of the email lure, targeted recipients will likely include those working within Business Administration, Finance and Sales teams. Furthermore, the compromise of one organization could lead to legitimate email accounts being abused to send convincing lures to other organizations, such as their customers, partners and suppliers.
Having lured the victim into opening the malicious email attachment, one recent campaign included an initial payload that would appeal to those working in the financial industry,
%APPDATA%\Temp\<BANK_NAME> Swift Mesaji.exe, given the presence of the target organization name and
Swift which likely relates to the Society for Worldwide Interbank Financial Telecommunications (SWIFT).
This initial payload subsequently XOR-decrypts the second stage assembly, which loads and executes the final Masslogger payload. Although it is highly unlikely that an executable will manage to pass through email protection systems as an attachment, or even be displayed by a modern email client, other campaigns have been observed as improving the delivery method through the use of compressed files.
While focusing on the theft of credentials from common applications such as browsers, email clients, file sharing services, messaging applications and VPNs, Masslogger stealer’s approach is somewhat like most other stealer threats.
Upon the completion of the data theft stage, Masslogger creates a
Log.txt file stored in
%APPDATA% in a 10 random character working directory containing the stolen data, for example:
Typically, this log will identify the Masslogger version, including the details of the malicious process, along with details of the victim, their machine and any stolen credentials (Figure 2).
Figure 2: Masslogger Log.txt file containing all stolen data it found
Masslogger activity within a victim’s machine is fairly simple and quick. The following cases show no persistency or any other updates requested from the threat actor to the samples over periods of time. Data exfiltration is done via the SMTP protocol, sending an email containing base64 string, to a specific domain (Figure 3).
Figure 3: Email Masslogger generated
Seemingly using a compromised mailbox from a third-party organization to receive exfiltrated data, Masslogger initially authenticates using base64 encoded strings that contain the username (email address) and password.
The exfiltrated data is also base64 encoded and contains all data presented in the Log.txt file as shown in Figure 2.
The following hashes are provided for reference. Given the ongoing nature of these campaigns, it is likely that the threat actor will utilize methods to avoid detection such as packing and crypting, resulting in differing cryptographic hashes.
The creation of unexpected directories and files within
%APPDATA% could be indicative of compromise, especially the creation of a ten random character directory and Log.txt file. As such, the following regular expression matches the directory structure and corresponding archive filename:
Notably, some Masslogger versions contain strings within the Log.txt file that provides even better clues for a file related to the Masslogger stealer:
MassLogger Melt: (true|false)
MassLogger Exit after delivery: (true|false)