By Vanja Svajcer.

News summary

  • As protection techniques develop, attackers are finding it harder to successfully attack their targets and must find creative ways to succeed.
  • Cisco Talos recently discovered a campaign utilizing a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from multiple sources such as Microsoft Outlook, Google Chrome and instant messengers.
  • Apart from the initial email attachment, all the stages of the attacks are fileless and they only occur in volatile memory.
  • These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1566 — Phishing, T1059.001 and T1059.007 — Command and Scripting Interpreters, T1140 — Deobfuscate/Decode Files or Information, T1497 — Virtualization/Sandbox Evasion, T1555.003 — Credentials from Web Browsers, T1115 — Clipboard Data, T1056.001 — Keylogging and T1048.003 — Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.

Attackers are constantly reinventing ways to monetize their tools. Cisco Talos recently discovered an interesting campaign affecting Windows systems and targeting users in Turkey, Latvia and Italy, although similar campaigns by the same actor have also been targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain in September, October and November 2020.

The actor employs a multi-modular approach that starts with the initial phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. But it can also be a weakness, as there are plenty of opportunities for defenders to break the killchain.

What's new?

Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain. This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware's processes.

How did it work?

The infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business. The email contains a RAR attachment with a slightly unusual filename extension.

The usual filename extension for RAR files is .rar. However, RAR-compressed archives can also be split into multi-volume archives. In this case, the filename creates files with the RAR extension named "r00" and onwards with the .chm file extension. This naming scheme is used by the Masslogger campaign, presumably to bypass any programs that would block the email attachment based on its file extension.

CHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage of the infection is obfuscated to avoid detection using simple signatures.

The second stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads the main PowerShell loader. The Masslogger loaders seem to be hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg. For example, "D9.jpg".

The main payload is a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from a variety of sources, targeting home and business users. Masslogger can be configured as a keylogger, but in this case, the actor has disabled this functionality.

So what?

While most of the public attention seems to be focused on ransomware attacks, big game hunting and APTs, it is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users' credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.

Based on the IOCs we retrieved, we have moderate confidence that this actor has previously used other payloads such as AgentTesla, Formbook and AsyncRAT in campaigns starting as early as April 2020.

Technical case overview

Introduction

Masslogger is a spyware program written in .NET with a focus on stealing user credentials, mostly from the browsers but also from several popular messaging applications and email clients. It was released in April 2020 and sold on underground forums for a moderate price with a few licensing options.

The exfiltration of data takes place over one or more of these channels:

  • FTP (plain text over default port 21), the configuration contains user credentials.
  • HTTP — Using a PHP-based control panel.
  • SMTP — The user has to specify email address, server and credentials to use it.
    We won't dig deep into the functionality of the final Masslogger payload, as this was previously well-described by other researchers. Instead, we'll focus on the infection vector and the memory-only delivery chain before the final stage is loaded. In case of commodity spyware such as Masslogger, it is the infection chain and contextual information that distinguish the individual actors behind each campaign.

The infection chain we follow seems to focus on business users, with email being the infection vector. The email contains a RAR attachment with a compiled HTML (.chm) attachment. The rest of the chain is split between JavaScript, PowerShell and .NET.

Email as an infection vector

The latest campaign began in mid-January. Based on the combination of discovered emails and file names, we believe it was targeting organizations in Turkey, Latvia and Italy. We have observed similar campaigns happening in several instances before, starting no later than September 2020. In previous campaigns, the actor was targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain.

European countries targeted by the observed Masslogger campaigns from September 2020.

The email is written in the language of the targeted recipient's top-level domain. The first example is an email targeted at users in Turkey with the subject "Domestic customer inquiry" and the body "At the request of our customer, please send your attached best quotes."

Email campaign example targeting users in Turkey.

Some earlier campaigns were purported to be a request to open and sign a memorandum of understanding. The actor attempted to make emails more credible by adding a link to the legitimate scanning application to the email footer "Shipped with Genius Scan for iOS."

For the campaigns in September, October and November, the adversaries sent emails containing a subject line that translates to "MOU Information" with the text "Please return it signed and stamped. Best regards," in the body.

An example of an earlier email targeting users in Spain.

An example of an earlier email targeting users in Bulgaria.

The attachment file name for the latest campaign is chosen according to the email subject, with possible random strings prepended, for example, "70727_YK90054_Teknik_Cizimler." The attachment filename extension is chosen to bypass simple blockers that attempt to block RAR attachments using its default filename extension ".rar". The actor changes the filename extension to RAR multi-volume filename extensions, starting from ".r00". WinRAR and other RAR-capable unarchivers will still open the file without problems.

The attached RAR archive contains a single file with the ".chm" filename extension. CHM stands for "compiled HTML files," and it is one of the default formats for Windows Help files. Compiled HTML files can be easily created using the Windows HTML Help executable program hh.exe. The same program can be used with the command line option "-decompile" to extract the embedded and compressed HTML files.

When the user opens the attachment with the default application, a simple HTML page is displayed, containing the text "Customer service, Please Wait…"

The HTML page displayed when the .CHM attachment is opened.

When the CHM file is decompiled and the HTML file extracted, it contains lightly obfuscated JavaScript code to create an HTML page. The HTML content is escaped and reversed, so it is easy to deobfuscate.

Obfuscated JavaScript code in the decompiled HTML file.

The HTML code contains an ActiveX object containing PowerShell code obfuscated in a similar way to strings in the JavaScript code of the CHM file.

HTML page with an ActiveX object embedded and PowerShell code.

When deobfuscated, we can observe a PowerShell downloader stage, which simply connects to the download server, usually a compromised legitimate host. The download server hosts the next stage of the infection.

PowerShell downloader stage.

The URL to download the next stage ends in the path with the format [1Letter][1 to 2-digit number].jpg, for example, hxxp://sinetcol[.]co/D7.jpg. This stage is encoded with a simple hexadecimal encoding scheme and is converted to code by first splitting the downloaded content using the character "^" as the delimiter and then adding ASCII representation of each number to a string variable. Eventually, the string containing PowerShell code is piped into the Invoke-Expression (IEX) cmdlet. This is the PowerShell loader.

Encoded PowerShell loader

The PowerShell loader contains two encoded .NET assemblies. The first one is a DLL and the other an executable.

Loader DLL and final Masslogger payload

Start of the PowerShell loader.

The PowerShell loader first decodes the .NET DLL and then deobfuscates the string "System.AppDomain" to get the reference to its method "GetCurrentDomain." The loader then creates a byte array where it stores the Masslogger loader before it invokes the GetCurrentDomain function to get the context of execution and the process where the script is executing.

The acquired domain is then used to load the .NET DLL assembly into the powershell.exe process space with the assembly name "Waves.dll." Waves employs a Costura loader, an open-source reflective assembly loader alternative to ILMerge and is obfuscated with DotNetGuard obfuscator, all to make analysis and detection more difficult.

Once the DLL is loaded as a .NET assembly, the PowerShell loader calls the method tasked with creating a msbuild.exe process, injecting the final payload into its process space and launching it.

After decoding, the DLL loader assembly is created and loaded.

The Masslogger payload is stored in memory as a buffer compressed with gzip. The buffer is decompressed by the DLL loader. The internal assembly name of the payload is "service-med-star.gr", which is a concatenation of the username and the server used for FTP credentials exfiltration.

Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.

This version of Masslogger contains the functionality to target and retrieve credentials from the following applications:

  • Pidgin messenger client
  • FileZilla FTP client
  • Discord
  • NordVPN
  • Outlook
  • FoxMail
  • Thunderbird
  • FireFox
  • QQ Browser
  • Chromium based browsers (Chrome, Chromium, Edge, Opera, Brave)

The configuration for a payload is stored as an encrypted array of strings within the payload itself. Although the configuration is encrypted and the payload obfuscated with an unknown obfuscator it is still possible to find code used to decrypt the configuration as previously documented by Mario Henkel.

The configuration is decrypted using the standard .NET framework functionality. This allows us to place a breakpoint to the beginning of the method System.Security.Cryptography.AesCryptoServiceProvider and step back to the configuration decryption function within the payload body and trace the value returned to the caller after each configuration string is decrypted.

Breakpoints placed to decrypt the payload configuration.

The decrypted configuration is parsed by Masslogger to configure the trojan to target a specific set of applications and exhibit functionality. In our case, the Masslogger version we are dealing with is 3.0.7563.31381 and the exfiltration is conducted over FTP, with med-star.gr as the FTP exfiltration server.

Although the payload is configured to use FTP, the actor has installed a version of Masslogger control panel on the same server with the URL hxxps://www[.]med-star[.]gr/panel/?/login.

Masslogger control panel login screen.

Decrypted Masslogger configuration strings.

Once the credentials from targeted applications are retrieved, they are uploaded to the exfiltration server with a filename containing the username, two-letter country ID, unique machine ID and the timestamp for when the file was created.

Uploaded credential files begin with the information about the user and the infected system, configuration options and processes running, followed by the retrieved credentials delimited by lines containing targeted application names.

The beginning of an uploaded exfiltrated credentials file.

Conclusion

This recently discovered Masslogger campaign — which we attribute to an actor launching similar credential-stealing campaigns — back to at least September 2020. There is moderate confidence the author has previously used AgentTesla with similar goals in April 2020. The campaigns are targeted to several European countries, shifting its focus monthly. In our research, we detected email messages targeting Turkey, Latvia, Lithuania, Bulgaria, Hungary, Estonia, Romania, Italy and Spain, as well as messages written in English.

Masslogger campaign modules.

The observed campaign is almost entirely executed and present only in memory, which emphasizes the importance of conducting regular and background memory scans. The only component present on disk is the attachment and the compiled HTML help file.

Users are advised to configure their systems for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its deobfuscated format. Talos will continue to track similar campaigns to make sure adequate protection is included in Cisco Secure products.

Coverage  

Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such as this automatically.

Cisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS),Cisco ISR andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and builds protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase onSnort.org.

OSQuery

Cisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here https://github.com/Cisco-Talos/osquery_queries/blob/master/win_forensics/potential_compiled_HTML_abuse.yaml

IOCs

URLs

hxxp://sinetcol[.]co/A7.jpg - January
hxxp://sinetcol[.]co/D7.jpg - January
hxxp://becasmedikal[.]com.tr/A5.jpg - January
hxxp://risu[.]fi/D9.jpg - November

hxxp://topometria[.]com.cy/A12.jpg - September
hxxp://bouinteriorismo[.]com/R9.jpg - November
hxxp://optovision[.]gr/4B.jpg - October
hxxp://hotelaretes[.]gr/V8.jpg - October
hxxp://jetfleet24[.]com/T5.jpg - October
hxxps://www.med-star[.]gr/panel/?/login - C2 panel
fxp://med-star[.]gr - exfiltration FTP

Email messages

54ca02b013e898be2606f964bc0946430a276de9ef478596a1d33cb6f806db8c
516d45fcbdbdc4526bdd0f6979fe3ad929b82e1fd31247c7891528703ac16131
1c0a17a11a4b64dbe6082be807309a3c447b4861ea56155c1bfcf4d072746d38
7c92e1befd1cc5fa4a253716ac8441f6e29a351b7e449d3b8ef171cb6181db8e
83c64bf1c919c5e6ce25633d0eff2b7cda5b93a210b60372d984f862933e0b4e
e2c3ad4bedf9e6d1122d418e97dfb743b1559a5af99befabed5bb7c6164028a8
8129a86056aa28f2af87110bb25732b14b77f18a7c820d9bcf1adcd2c7d97a7a

Initial scripts

742b9912f329c05296e2f837555dceea0ae3e06e80aa178a9127692d25e21479 - September 2020, Windows batch file
04910322c2e91d58e9ed3c5bcc3a18be1ba1b5582153184d1f5da3d9c42bac15 - January 2021, CHM file
aac62b80b790d96882b4b747a8ed592f45b39ceadd9864948bb391f3f41d7f9f - January 2021, CHM file
f946e1c690fc2125af4ad7d3d1b93c6af218a82d55a11a5a6ee5a9b04a763e7f - January 2021, CHM file
9cd7622ade7408c03e0c966738f51f74f884fbafdf3fe97edf4be374a7fb1d77 - November 2020, CHM file
5415bcc4bffa5191a1fac3ce3b11c46335d19f053f5d9d51a10f4ed77393ed82 - October 2020, CHM file

Downloaded obfuscated PowerShell loaders

0eef444f062ea06340ca7ef300cb39c44a6cdf7ead2732bb885d79f098991cb8
df929834de2b10efaa8b2cb67c71ae98508cfb79f22213ee24aedc38a962ccb5

DLL loaders

49fc4103d8747de341b9d3cd08f05c83f2e6943215df6939d02c7c3099345343
39dbe72ea847012243e4642d766fd4cf6fe138302cbfba67c65088b2cdefc1f4
a16fa0a14f0d20b66af550e3cdb0b60f8ffb965415404df6cc8164e62dfbe124
da256158ac0d7dc031b2541f9b7486d9822a402b6e9c5176c2ec2ed717592fbf

Masslogger payload

2487b12f52b803f5d38b3bb9388b039bf4f58c4b5d192d50da5fa047e9db828b