Mass (Key)-Logger? or Spyware? : Part-1


Malware authors fight to make fat lumps of cash by selling their products to wannabe cybercriminals. A new keylogger called Mass Logger recently caught the attention of security researchers, who think that it could be a force to be reckoned with for the foreseeable future. This advanced keylogger and spyware are distributed via MalSpam attachments and has more features than other present keylogger tools. It has been observed that this campaign is using several different file types as malicious attachments as an initial infection vector.

What is Mass Logger?

Masslogger is a spyware program written in .NET with a focus on stealing user credentials, mostly from the browsers but also from several popular messaging applications and email clients. It was released in April 2020 and sold on underground forums for a moderate price with a few licensing options.

This malicious program is also classified as a 'stealer malware'. The primary purpose of MassLogger is to extract data (i.e., it steals information). Similar to the functionality of keylogger which records key strokes, puts the privacy and security of any typed information at risk. Keylogging functionalities are typically used to steal log-in credentials (i.e., usernames and passwords) of various accounts in order to hijack them. This malware comes with several functionalities like keylogger, Windows Defender exclusion, taking Screenshots, spreading via USB, clipboard stealing, and VM detection.

Who Developed it?

NYAN CAT - Developer

MassLogger has been created by an actor named NYANxCAT who is very active in the underground community. This actor has published a lot of malicious code under the guise of "educational" purposes to Github. NYANxCAT sits behind a wide variety of remote access trojans like LimeRAT and AsyncRAT, and his youtube videos suggest that the hacker has also created a few other hacking tools of different description. But now this veil of education has fallen away, the hacker has removed those videos from his channel and he is selling the malware on some entry-level hacking forums.  

How does it work?

Mass Logger modules

First Stage:

  • The infection starts with an email message containing a legitimate-looking subject line that seems to relate to a business. The email contains a RAR attachment with a slightly unusual filename extension. The usual filename extension for RAR files is .rar. However, RAR-compressed archives can also be split into multi-volume archives. In this case, the filename creates files with the RAR extension named "r00" and onwards with the .chm file extension.
  • CHM is a compiled HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Every stage of the infection is obfuscated to avoid detection using simple signatures.

Second Stage:

  • A PowerShell script that eventually de-obfuscates {convert a program that is difficult to understand into one that is simple, understandable and straightforward.} into a downloader and downloads and loads the main PowerShell loader. 
  • The Masslogger loaders seem to be hosted on compromised legitimate hosts with a filename containing one letter and one number concatenated with the filename extension .jpg. For example, "D9.jpg". The main payload is a variant of the Masslogger trojan designed to retrieve and exfiltrate user credentials from a variety of sources, targeting home and business users.

Now, let’s jump on to the technical aspects of this malware where the infection chain seems to focus on business users, with email being the infection vector. The email contains a RAR attachment with a compiled HTML (.chm) attachment. The rest of the chain is split between JavaScript, PowerShell and .NET.

Deeper Analysis on Email as an Infection Vector:

Based on the combination of discovered emails and file names, it was seen that this malware was targeting organizations in Turkey, Latvia and Italy. In previous campaigns, the threat actor was targeting users in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain.

European countries targeted by the observed Masslogger campaigns from September 2020. For the campaigns in September, October and November, the adversaries sent emails containing a subject line that translates to "MOU Information" with the text "Please return it signed and stamped. Best regards," in the body.

Email targeting users in Spain

The attachment filename extension is chosen to bypass simple blockers that attempt to block RAR attachments using its default filename extension ".rar". The actor changes the filename extension to RAR multi-volume filename extensions, starting from ".r00". WinRAR and other RAR-capable unarchivers will still open the file without problems.

The attached RAR archive contains a single file with the ".chm" filename extension. CHM stands for "compiled HTML files," and it is one of the default formats for Windows Help files. Compiled HTML files can be easily created using the Windows HTML Help executable program hh.exe. The same program can be used with the command line option "-decompile" to extract the embedded and compressed HTML files.

When the user opens the attachment with the default application, a simple HTML page is displayed, containing the text "Customer service, Please Wait…"
Display of the HTML page when .CHM attachment is opened.

This HTML code contains an ActiveX object containing PowerShell code obfuscated in a similar way to strings in the JavaScript code of the CHM file.

ActiveX object embedded 

When de-obfuscated, we can observe a PowerShell downloader stage, which simply connects to the download server, usually a compromised legitimate host. The download server hosts the next stage of the infection.

Powershell Downloader page

The PowerShell loader contains two encoded .NET assemblies. The first one is a DLL and the other an executable.The PowerShell loader first decodes the .NET DLL and then deobfuscates the string "System.AppDomain" to get the reference to its method "GetCurrentDomain." The loader then creates a byte array where it stores the Masslogger loader before it invokes the GetCurrentDomain function to get the context of execution and the process where the script is executing.

Start of the PowerShell loader

The acquired domain is then used to load the .NET DLL assembly into the powershell.exe process space with the assembly’s name "Waves.dll." Once the DLL is loaded as a .NET assembly, the PowerShell loader calls the method tasked with creating a msbuild.exe process, injecting the final payload into its process space and launching it. The Masslogger payload is stored in memory as a buffer compressed with gzip. The buffer is decompressed by the DLL loader. The internal assembly name of the payload is "", which is a concatenation of the username and the server used for FTP credentials exfiltration.
The configuration for a payload is stored as an encrypted array of strings within the payload itself. Although the configuration is encrypted and the payload obfuscated with an unknown obfuscator. The decrypted configuration is parsed by Masslogger to configure the trojan to target a specific set of applications and exhibit functionality. In our case, the Masslogger version we are dealing with is 3.0.7563.31381 and the exfiltration is conducted over FTP, with as the FTP exfiltration server.

Although the payload is configured to use FTP, the actor has installed a version of Masslogger control panel on the same server with the URL hxxps://www[.]med-star[.]gr/panel/?/login.

Login screen

Once the credentials from targeted applications are retrieved, they are uploaded to the exfiltration server with a filename containing the username, two-letter country ID, unique machine ID and the timestamp for when the file was created.

Uploaded credential files begin with the information about the user and the infected system, configuration options and processes running, followed by the retrieved credentials delimited by lines containing targeted application names.

credentials file


Through this blog, we gathered an insight about the mass logger working and a deeper analysis of the email- infection vector. Masslogger is a highly configurable and modular keylogger and spyware. The author behind Masslogger tried to make it more sophisticated in features than other keyloggers, these features make it hard to detect this advanced malware. Are you interested to learn about it's functionality and latest updates regarding it? To know more stay tuned... and follow our blog posts.

Connect to me on LinkedIn