MassLogger InfoStealer Malspam Campaign

On 11 August, we observed a malicious spam (malspam) email campaign distributing MassLogger malware. MassLogger is a relatively new information stealer (infostealer) that was reportedly first observed in April 2020.¹ It is written using .NET, a programming framework developed by Microsoft.²

MassLogger has the ability to log keystrokes and clipboard data, take screenshots, as well as steal credentials from Chrome, Firefox, Outlook, Thunderbird, Discord, NordVPN, FileZilla, Telegram, and more.

MassLogger can also be spread over USB by injecting copies of its code into files on connected USB devices. When a user opens one of these infected files, the malicious code runs and can infect a new computer.³

In this campaign, the threat actor sent emails with the subject “Arrival notice 203517024.” The body contained a vague message referencing an attached document and included a legitimate link to the website for a real shipping company named Maersk. The attached file was named DB_aabfjgideha0x0CA1.doc, and although it has the .doc extension, it is actually a Rich Text Format (RTF) file.

Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.

Endnotes

1.  https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-massloggers-noisy-stealing-attempts/
2. https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html
3. https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/