Overview of MassLogger v3

This report is about recent malware campaigns utilizing the MassLogger trojan (written in . NET). Previously we have covered features of MassLogger in TIR-20200821. However, recent research has revealed a new variant of the malware, dubbed MassLogger v3 by Avast. The primary goal of these campaigns is credential exfiltration, targeting popular applications such as Microsoft Outlook and Google Chrome.

TIR-20210228 Tactics, Techniques, and Procedures   

MassLogger v3 largely maintains similar functionality as previous versions (password recovery, USB spreading, data exfiltration via FTP/SMTP/HTTP, anti-sandbox/VM/debugger detection, etc.). Though keylogging was the main feature, it is disabled in this variant. Other changes in version 3 include increased obfuscation and defense evasion techniques, leaving fewer traces of the malware on victim hosts. Analysis of the malware from Cisco Talos Intelligence Group notes the below applications are targeted for credential exfiltration in this campaign:

  • Pidgin messenger client
  • FileZilla FTP client
  • Discord
  • NordVPN
  • Outlook
  • FoxMail
  • Thunderbird
  • Firefox
  • QQ Browser
  • Chromium-based browsers (Chrome, Chromium, Edge, Opera, Brave)

Source: https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html

Infection begins with a phishing email containing a compressed RAR file attachment. To attempt bypassing security controls that will strip .rar email attachments, the multivolume file extension is used (.r00 to .r99). Within the archive is a single compiled HTML file (.chm). This is one unique change in the infection chain of other MassLogger variants. The .chm file contains obfuscated JavaScript and presents itself as a seemingly harmless HTML Help file.

Source: https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html

The JavaScript code is used to execute PowerShell as a downloader. PowerShell reaches out to a server hosting the next stage in the form of a .jpg file, the PowerShell loader. The loader is used to load a .NET DLL, create the “msbuild.exe” process, and inject the final payload into memory on the victim host. Once infected, users can expect MassLogger to gather credentials from any of the targeted applications and attempt exfiltration.

Business Unit Impact

  • This will lead to unauthorized data exfiltration, including user credentials.
  • May allow for malicious actors to successfully compromise user credentials and sensitive data.


  • Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.
  • Block and monitor for activity involving the linked IOCs.



Supporting Documentation

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Chat With One of Our Experts

Threat Report malware campaign Trojan Threat Detection and Response MassLogger Blog