On 17th Feb, a security researcher discovered that this attack was focused on user’s lives in Latvia, Turkey, Italy, and in 2020 the attackers targeted the users from Bulgaria, Spain, Hungary, Romania, and Lithuania.

What is MassLogger?

MassLogger Trojan is updated and now used while stealing the user credentials of Microsoft Outlook, Messenger service, and Google Chrome. MassLogger Trojan was founded in April 2020 executed under license agreements, whereas this updated version of this Trojan was created with compiled HTML file to steal the victim data.

Running of MassLogger?

The attacker behind this campaign used phishing techniques and phishing messages that contain the information of business-related questions and. RAR file at an attachment. Once the user opens the attachment, the files are subdivided into multiple files having. r00 extension that could use to overlaps the program and block the attachment.

After that, a compiled HTML file is extracted which holds other HTML files that are embedded with JavaScript code. Once the code is executed it will deploy the MassLogger loader into the victim’s system.

This new reprogrammed version of MassLogger is specially designed for Windows users and written in .NET, which is capable to steal user credentials. This Trojan can steal user’s personal and official data.

It is stored in buffer memory and compressed with Gzip, this Trojan has stolen the credentials of Microsoft Outlook, Google Chrome, Firefox, Microsoft Edge, Thunderbird, NordVPN, FileZilla, and other applications.

The stolen data has to be sent over the SMTP, FTP, or HTTP protocols that includes username, country ID, timestamp, machine ID, and other data relating to the configuration of the running process.

The experts say that the running campaign is likely to be executed over the present memory and that emphasized the regulation and dealing with the background memory scan. The component present on the disk is the attacker that is used to compile the HTML file.

Prevention Taken 

To reduce the effect of this updated MassLogger Trojan, the experts advised the users to take these simple precautions described below.

• Use Security Software : Install security software that updates automatically and deal with all the upcoming phishing threats. Antivirus software is capable to detect phishing activity online or offline.
• Employ Mult-Factor Authentication : Apply multi-factor authentication to an account that reduces the risk of a phishing attack. Multi-factor authentication requires two or more credentials to log in to an account.
• Never Give Any Information : Do not disclose your personal information (like birthdays, education, employment, and account-related data) over Facebook or any other social sites.
• Don’t Open Attachments : Beware of the attachments sent through the emails. Scan the attachments with the security software before downloading them.
• Choose Regular Backup : Make sure that your data is backup regularly to avoid unwanted phishing attacks. Always backup your data to removal storage and keep it in a safe place.
• Don’t Click on Link : Instead of clicking a link directly, you can hover your mouse cursor and check the link is malicious or not. Never open a link directly without conforming to it and check the link starts with HTTPS.
• Evade Pop-Ups : Never click on a random pop-up that comes to your screen while surfing over the internet. Instead of clicking on the “cancel” button always choose to hit the “X” button.
• Update Software Regularly : Continually, update your software as required because the updates fixed the patches accordingly and reduce the risk of a phishing attack.
• Conduct User Awareness : The best way to reduce phishing attacks is awareness. Conduct regular programs and aware your employees of this threat.
• Apply Phishing Filter : Install and configure the phishing filter for your email application and also for the web browser. This filer protects you from random phishing attack and also reduce the malicious phishing attempts.

Summering Up

The security researcher also said that this malware also works as a keylogger, but in this update the keylogger facility is disabled and the experts believe that this attack is linked with AgentTesla, Formbook, and Async Trojans.