Overview of MassLogger v3
This report is about recent malware campaigns utilizing the MassLogger trojan (written in .NET). Previously we have covered features of MassLogger in TIR-20200821. However, recent research has revealed a new variant of the malware, dubbed MassLogger v3 by Avast. The primary goal of these campaigns is credential exfiltration, targeting popular applications such as Microsoft Outlook and Google Chrome.
TIR-20210228 Tactics, Techniques, and Procedures
MassLogger v3 largely maintains similar functionality as previous versions (password recovery, USB spreading, data exfiltration via FTP/SMTP/HTTP, anti-sandbox/VM/debugger detection, etc.). Though keylogging was a main feature, it is disabled in this variant. Other changes in version 3 include increased obfuscation and defense evasion techniques, leaving fewer traces of the malware on victim hosts. Analysis of the malware from Cisco Talos Intelligence Group notes the below applications are targeted for credential exfiltration in this campaign:
- Pidgin messenger client
- FileZilla FTP client
- QQ Browser
- Chromium based browsers (Chrome, Chromium, Edge, Opera, Brave)
Business Unit Impact
- Will lead to unauthorized data exfiltration, including user credentials.
- May allow for malicious actors to successfully compromise user credentials and sensitive data.
- Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
- Block and monitor for activity involving the linked IOCs.
- MITRE Mapping(s)
- Initial Access: https://attack.mitre.org/tactics/TA0001/
- Execution: https://attack.mitre.org/tactics/TA0002/
- Command and Scripting Interpreter: PowerShell: https://attack.mitre.org/techniques/T1059/001/
- Defense Evasion: https://attack.mitre.org/tactics/TA0005/
- Deobfuscate/Decode Files or information: https://attack.mitre.org/techniques/T1140/
- Virtualization/Sandbox Evasion: https://attack.mitre.org/techniques/T1497/
- Credential Access: https://attack.mitre.org/tactics/TA0006/ \
- Credentials from Password Stores: Credentials from Web Browsers: https://attack.mitre.org/techniques/T1555/003/
- Discovery: https://attack.mitre.org/tactics/TA0007/
- System Information Discovery: https://attack.mitre.org/techniques/T1082/
- Software Discovery: https://attack.mitre.org/techniques/T1518/
- Collection: https://attack.mitre.org/tactics/TA0009/
- Clipboard Data: https://attack.mitre.org/techniques/T1115/
- Input Capture: https://attack.mitre.org/techniques/T1056/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.