What is Mass Logger?
Masslogger is a spyware program written in .NET with a focus on stealing user credentials, mostly from the browsers but also from several popular messaging applications and email clients. It was released in April 2020 and sold on underground forums for a moderate price with a few licensing options.
This malicious program is also classified as a 'stealer malware'. The primary purpose of MassLogger is to extract data (i.e., it steals information). Similar to the functionality of keylogger which records key strokes, puts the privacy and security of any typed information at risk. Keylogging functionalities are typically used to steal log-in credentials (i.e., usernames and passwords) of various accounts in order to hijack them. This malware comes with several functionalities like keylogger, Windows Defender exclusion, taking Screenshots, spreading via USB, clipboard stealing, and VM detection.
Who Developed it?
 |
| NYAN CAT - Developer |
MassLogger has been created by an actor named NYANxCAT who is very active in the underground community. This actor has published a lot of malicious code under the guise of "educational" purposes to Github. NYANxCAT sits behind a wide variety of remote access trojans like LimeRAT and AsyncRAT, and his youtube videos suggest that the hacker has also created a few other hacking tools of different description. But now this veil of education has fallen away, the hacker has removed those videos from his channel and he is selling the malware on some entry-level hacking forums.
How does it work?
 |
| Mass Logger modules |
First Stage:
- The infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business. The email contains a RAR attachment with a slightly unusual filename extension. The usual filename extension for RAR files is .rar. However, RAR-compressed archives can also be split into multi-volume archives. In this case, the filename creates files with the RAR extension named "r00" and onwards with the .chm file extension.
- CHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage of the infection is obfuscated to avoid detection using simple signatures.
Second Stage:
- A PowerShell script that eventually de-obfuscates {convert a program that is difficult to understand into one that is simple, understandable and straightforward.} into a downloader and downloads and loads the main PowerShell loader.
- The Masslogger loaders seem to be hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg. For example, "D9.jpg". The main payload is a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from a variety of sources, targeting home and business users.
Now, let’s jump on to the technical aspects of this malware where the infection chain seems to focus on business users, with email being the infection vector. The email contains a RAR attachment with a compiled HTML (.chm) attachment. The rest of the chain is split between JavaScript, PowerShell and .NET.
Deeper Analysis on Email as an Infection Vector:
 |
| Email targeting users in Spain |
The attachment filename extension is chosen to bypass simple blockers that attempt to block RAR attachments using its default filename extension ".rar". The actor changes the filename extension to RAR multi-volume filename extensions, starting from ".r00". WinRAR and other RAR-capable unarchivers will still open the file without problems.
The attached RAR archive contains a single file with the ".chm" filename extension. CHM stands for "compiled HTML files," and it is one of the default formats for Windows Help files. Compiled HTML files can be easily created using the Windows HTML Help executable program hh.exe. The same program can be used with the command line option "-decompile" to extract the embedded and compressed HTML files.When the user opens the attachment with the default application, a simple HTML page is displayed, containing the text "Customer service, Please Wait…"
 |
Display of the HTML page when .CHM attachment is opened. |
 |
| ActiveX object embedded |
When de-obfuscated, we can observe a PowerShell downloader stage, which simply connects to the download server, usually a compromised legitimate host. The download server hosts the next stage of the infection.
 |
| Powershell Downloader page |
The PowerShell loader contains two encoded .NET assemblies. The first one is a DLL and the other an executable.The PowerShell loader first decodes the .NET DLL and then deobfuscates the string "System.AppDomain" to get the reference to its method "GetCurrentDomain." The loader then creates a byte array where it stores the Masslogger loader before it invokes the GetCurrentDomain function to get the context of execution and the process where the script is executing.
 |
| Start of the PowerShell loader |
The configuration for a payload is stored as an encrypted array of strings within the payload itself. Although the configuration is encrypted and the payload obfuscated with an unknown obfuscator. The decrypted configuration is parsed by Masslogger to configure the trojan to target a specific set of applications and exhibit functionality. In our case, the Masslogger version we are dealing with is 3.0.7563.31381 and the exfiltration is conducted over FTP, with med-star.gr as the FTP exfiltration server.
Although the payload is configured to use FTP, the actor has installed a version of Masslogger control panel on the same server with the URL hxxps://www[.]med-star[.]gr/panel/?/login.
 |
| Login screen |
Uploaded credential files begin with the information about the user and the infected system, configuration options and processes running, followed by the retrieved credentials delimited by lines containing targeted application names.
 |
| credentials file |
Conclusion:
Through this blog, we gathered an insight about the mass logger working and a deeper analysis of the email- infection vector. Masslogger is a highly configurable and modular keylogger and spyware. The author behind Masslogger tried to make it more sophisticated in features than other keyloggers, these features make it hard to detect this advanced malware. Are you interested to learn about it's functionality and latest updates regarding it? To know more stay tuned... and follow our blog posts.
0 Comments