MASS Logger, a famous credential stealer on the Windows platform that steals credential data from Chrome, Outlook and instant messaging apps, has been detected in recent attacks last week by cybersecurity experts. The keylogger was used against users in Turkey, Latvia and Italy – the infections have similarity to the cyber-attacks last September to November 2020 that was targeted towards Windows users in Bulgaria, Hungary, Romania, Spain, Lithuania and Estonia.
This trojan was first detected in the wild in April last year, and since then, it seems like the malware operators have been making improvements on its malicious codes.
The infection chain will start with an email containing a message tailored to look legitimate and comes with a RAR attachment file with an unusual filename extension such as” docxxxxxxxxxxx.r15″. This file type is a RAR archive split into multi-volume, which is implemented to trick and bypass security applications.
Once an attachment is opened by unsuspecting victims, a pop-up message “Customer Service” will be displayed on the screen.
This malware can exfiltrate private data via FTP, SMTP and HTTP. This latest version has implemented features to steal login credentials from Discord, NordVPN, Pidgin Messenger, Outlook, Thunderbird, Firefox, QQ browser, Chrome, Opera, Edge and Brave browsers. This trojan can also work as a keylogger, but this detected variant has the function disabled based on security researchers’ analysis.
Additionally, this MASS Logger is entirely executed via Memory, so to detect this threat, it is essential to conduct continuous background application checks and memory scans dedicated to malware detection.