Security researchers have discovered a malware campaign targeting Windows systems in an attempt to swipe login credentials from several popular applications, including Discord, Outlook, all major web browsers, NordVPN, and others. It does this through a multi-stage ‘fileless’ attack scheme.
Cisco Talos researcher Vanja Svajcer detailed the malware in a blog post, saying it is a variant of an existing trojan called Masslogger.
“Although operations of the Masslogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain,” Svajcer explains.
Therein also lies a bit of good news—while the malware initiates attacks from within system memory (making it fileless), delivery of the payload relies on the tried and true vector of phishing emails, a longtime (and easily avoidable) staple of bad actors.
The infection is hidden inside a compressed RAR archive “with a slightly unusual filename extension,” delivered to targets as an email attachment. When opened, it sets in motion a series of steps to inject malware into volatile memory (system RAM).
Svajcer says both home and business users are at risk, noting that this kind of malware can more easily slip under the radar right now because of the heightened awareness and focus on more predominant ransomware attacks.
“It is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users’ credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.,” Svajcer writes.
Interestingly, there is also a keylogger component to this version of Masslogger, but it has been disabled. Keyloggers and user credential theft typically go hand-in-hand.
The most recent Masslogger campaign began a month ago. Cisco Talos believes it is mostly focused on organizations in Turkey, Latvia, and Italy, at least for now. In the past, the security outfit has observed similar campaigns using previous versions of Masslogger in various other parts of the world.
Since this one relies on phishing emails to get started, it is easy to avoid—just keep using smart computing habits, like not downloading unexpected file attachments. Now would be a good time to remind any less savvy friends and family members to do the same.