News summary
-
As protection techniques develop, attackers are finding it harder to successfully attack their targets and must find creative ways to succeed.
-
Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers.
-
Apart from the initial email attachment, all the stages of the attacks are fileless and they only occur in volatile memory.
-
These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1566 — Phishing, T1059.001 and T1059.007 — Command and Scripting Interpreters, T1140 — Deobfuscate/Decode Files or Information, T1497 — Virtualization/Sandbox Evasion, T1555.003 — Credentials from Web Browsers, T1115 — Clipboard Data, T1056.001 — Keylogging and T1048.003 — Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.
Attackers are constantly reinventing ways to monetize their tools. Cisco Talos recently discovered an interesting campaign affecting Windows systems and targeting users in Turkey, Latvia and Italy, although similar campaigns by the same actor have also been targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain in September, October and November 2020.
The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the killchain.
What's new?
Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain. This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware's processes.
How did it work?
The infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business. The email contains a RAR attachment with a slightly unusual filename extension.
The usual filename extension for RAR files is .rar. However, RAR-compressed archives can also be split into multi-volume archives. In this case, the filename creates files with the RAR extension named "r00" and onwards with the .chm file extension. This naming scheme is used by the Masslogger campaign, presumably to bypass any programs that would block the email attachment based on its file extension.
CHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage of the infection is obfuscated to avoid detection using simple signatures.
The second stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads the main PowerShell loader. The Masslogger loaders seem to be hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg. For example, "D9.jpg".
The main payload is a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from a variety of sources, targeting home and business users. Masslogger can be configured as a keylogger, but in this case, the actor has disabled this functionality.
So what?
While most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users' credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.
Based on the IOCs we retrieved, we have moderate confidence that this actor has previously used other payloads such as
AgentTesla,
Formbook and AsyncRAT in campaigns starting as early as April 2020.