This threat report provides an overview of the MassLogger malware, the tactics, techniques, and procedures used, and what you can do to protect your organization.
MassLogger is recognized as spyware with keylogging and credential-stealing capabilities and contains actionable intelligence to protect against this risk.
The malware was first sighted in April 2020 and began to gain exposure from researchers in June. The threat actor NYANxCAT is widely recognized as the author and seller of the malware and has in the past written other malware such as AsyncRAT and LimeRAT. Due to its profitability, regular feature updates to the malware are expected by the author.
MassLogger is a fully-featured malware written in .NET, with a variety of modules. It is designed for easy use by less technical malicious actors. Some of its functions include FTP, email, keylogging, and a variety of evasion techniques to avoid analysis from sandboxes and honeypots. Another unique capability of the malware is USB spreading, similar to LimeUSB, which was also written by NYANxCAT. Code for this and other malware from the author is available in a public GitHub repository: https://github.com/NYAN-x-CAT
The goal of MassLogger malware is to gather and exfiltrate sensitive data from infected hosts. It will check the host for installations of specific software and attempt to find stored passwords. MassLogger gathers data about the host into a log file, much like its name implies, and then sends it to the malicious actor’s server.
Initial access is normally gained by the malware through phishing techniques. A malicious attachment is used to deliver the payload to the victim. If the attachment itself does not directly contain the malware, it is often a Microsoft Office document with a malicious VBA macro used to download it. Seqrite notes that the below file attachment types have all been seen in MassLogger phishing attempts:
Possible MassLogger effects:
What you can do to protect your organization:
IOCs are provided in each of the linked sources, and in the AlienVault OTX pulses below:
With the prevalence, severity, and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.