Otto
Advanced
- Joined
- 22.09.20
- Messages
- 104
- Reaction score
- 423
- Points
- 63
The attackers targeted organizations in Turkey, Latvia and Italy.
Cisco Talos specialists have discovered a new malicious campaign in which the Masslogger Trojan steals the credentials of Chromium-based browsers (Chrome, Chromium, Edge, Opera, Brave), Microsoft Outlook, and instant messaging programs. Masslogger is a program for stealing credentials and a keylogger that can extract data over the SMTP, FTP or HTTP protocols.
The latest version of the Masslogger malware is delivered via phishing emails and is contained in a multi-volume RAR archive using the .chm file format and .r00 extensions. A similar tactic is used as part of the Masslogger campaign, presumably to bypass any programs that can block an email attachment based on the file extension.
"CHM-a compiled HTML file containing an embedded HTML file with JavaScript code to start an active infection process. Each stage of infection is hidden to avoid detection, " the experts explained.
The malware also tries to exclude itself from the Windows Defender scan. The second stage of infection is a PowerShell script that loads the Masslogger main loader from compromised legitimate hosts as a. jpg file. From there, the loader is deployed and launched.
"Based on the combination of the detected emails and file names, we believe that the attackers are targeting organizations in Turkey, Latvia and Italy. We have already seen similar campaigns in the fall of 2020. In previous campaigns, criminals attacked users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain," the experts noted.
Cisco Talos specialists have discovered a new malicious campaign in which the Masslogger Trojan steals the credentials of Chromium-based browsers (Chrome, Chromium, Edge, Opera, Brave), Microsoft Outlook, and instant messaging programs. Masslogger is a program for stealing credentials and a keylogger that can extract data over the SMTP, FTP or HTTP protocols.
The latest version of the Masslogger malware is delivered via phishing emails and is contained in a multi-volume RAR archive using the .chm file format and .r00 extensions. A similar tactic is used as part of the Masslogger campaign, presumably to bypass any programs that can block an email attachment based on the file extension.
"CHM-a compiled HTML file containing an embedded HTML file with JavaScript code to start an active infection process. Each stage of infection is hidden to avoid detection, " the experts explained.
The malware also tries to exclude itself from the Windows Defender scan. The second stage of infection is a PowerShell script that loads the Masslogger main loader from compromised legitimate hosts as a. jpg file. From there, the loader is deployed and launched.
"Based on the combination of the detected emails and file names, we believe that the attackers are targeting organizations in Turkey, Latvia and Italy. We have already seen similar campaigns in the fall of 2020. In previous campaigns, criminals attacked users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain," the experts noted.