Masslogger Trojan
Masslogger is a newly seen credential stealing trojan with links to the cybercrime operators of the Agent Tesla spyware-as-a-service malware.
Summary
Masslogger is a newly seen credential stealing trojan with links to the cybercrime operators of the Agent Tesla spyware-as-a-service malware.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
First observed in early 2021, Masslogger is a .NET-based trojan focused on extracting users credentials and bowser data. Despite remaining unidentified, there is evidence from the infection chain that Masslogger's operators are affiliated with the cybercrime group behind Agent Tesla.
Delivery
Masslogger is delivered as RAR archive files distributed as part of country-specific phishing campaigns. Each RAR archive contains a compiled HTML, or CHM, file which is decompiled when the archive is extracted. The CHM file contains some partially obfuscated JavaScript code that constructs a simple HTML page, which in turn contains a PowerShell dropper stage as an Active X object. The PowerShell dropper then downloads two DLL files, a loader and Masslogger payload respectively, to the target system.
The loader DLL is then executed, where it performs several anti-analysis check before spawning a new instance of the msbuild.exe process and injecting the Masslogger payload into it.
Activities
Once installed, Masslogger will attempt to extract user credentials from a number of mail and messaging applications including Outlook and Thunderbird, as well as several FTP clients. It will also extract user browser sessions, cookies, and histories from any Chromium-based internet browsers. Any extracted information is then packaged in a new RAR archive and sent to a command and control server.
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Last edited: 3 March 2021 4:54 pm