Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials

A credential stealer notorious for concentrating on Home windows units has resurfaced in a new phishing marketing campaign that aims to steal qualifications from Microsoft Outlook, Google Chrome, and instant messenger applications.

Generally directed in opposition to consumers in Turkey, Latvia, and Italy commencing mid-January, the attacks entail the use of MassLogger — a .Web-based mostly malware with abilities to hinder static assessment — constructing on equivalent campaigns undertaken by the exact same actor towards people in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, Oct, and November 2020.

MassLogger was initially noticed in the wild last April, but the existence of a new variant implies malware authors are regularly retooling their arsenal to evade detection and monetize them.

password auditor

“Despite the fact that operations of the Masslogger trojan have been earlier documented, we identified the new marketing campaign noteworthy for using the compiled HTML file structure to commence the an infection chain,” researchers with Cisco Talos claimed on Wednesday.


Compiled HTML (or .CHM) is a proprietary online assist format made by Microsoft that’s applied to offer subject-based reference details.

The new wave of assaults commences with phishing messages made up of “legitimate-hunting” subject matter lines that seem to relate to a business enterprise.

A person of the e-mail focused at Turkish people had the topic “Domestic buyer inquiry,” with the human body of the message referencing an hooked up quote. In September, October and November, the e-mails took the form of a “memorandum of knowing,” urging the receiver to sign the document.


Irrespective of the message topic, the attachments adhere to the similar structure: a RAR multi-quantity filename extension (e.g., “70727_YK90054_Teknik_Cizimler.R09”) in a bid to bypass makes an attempt to block RAR attachments working with its default filename extension “.RAR.”

These attachments include a single compiled HTML file that, when opened, shows the concept “Consumer assistance,” but in simple fact arrives embedded with obfuscated JavaScript code to develop an HTML web site, which in convert incorporates a PowerShell downloader to hook up to a authentic server and fetch the loader finally dependable for launching the MassLogger payload.

Aside from exfiltrating the amassed knowledge by using SMTP, FTP or HTTP, the most current edition of MassLogger (variation 3..7563.31381) features functionality to pilfer credentials from Pidgin messenger client, Discord, NordVPN, Outlook, Thunderbird, Firefox, QQ Browser, and Chromium-dependent browsers these kinds of as Chrome, Edge, Opera, and Courageous.

“Masslogger can be configured as a keylogger, but in this situation, the actor has disabled this performance,” the researchers observed, adding the menace actor mounted a variation of Masslogger control panel on the exfiltration server.

With the marketing campaign nearly entirely executed and current only in memory with the sole exception of the compiled HTML assist file, the importance of conducting normal memory scans can’t be overstated sufficient.

“Consumers are encouraged to configure their systems for logging PowerShell events this sort of as module loading and executed script blocks as they will clearly show executed code in its deobfuscated format,” the researchers concluded.

Fibo Quantum