Masslogger Phishing Campaign

Since the mid-January 2021, it is detected that a new version of a Masslogger Trojen horse, targeted Windows system, have been aimed the users in Turkey, Italy and Latvia.

This version starts the chain of infections using the compiled HTML (CHM) format.

This new version Trojan horse targets the stealing of account information from Microsoft Outlook, Google Chrome and various instant messaging software on Windows.

The infection begins with an email sent to the target organization with a legitimate-looking subject title, and includes a RAR file with an unusual file extension attached to that email. In fact, this file is a CHM (compiled HTML) file, inside this file contains JavaScript code that will initiate the active infection process. After these stages, the malware downloaded to the computer starts the stage of stealing the user's information.

Below are the IoCs issued for this malware, they can be entered into the security systems to realize this malware.

URLs

hxxp://sinetcol[.]co/A7.jpg - January hxxp://sinetcol[.]co/D7.jpg - January hxxp://becasmedikal[.]com.tr/A5.jpg - January hxxp://risu[.]fi/D9.jpg - November hxxp://topometria[.]com.cy/A12.jpg - September hxxp://bouinteriorismo[.]com/R9.jpg - November hxxp://optovision[.]gr/4B.jpg - October hxxp://hotelaretes[.]gr/V8.jpg - October hxxp://jetfleet24[.]com/T5.jpg - October hxxps://www.med-star[.]gr/panel/?/login - C2 panel fxp://med-star[.]gr - exfiltration FTP

E-mail Messages

54ca02b013e898be2606f964bc0946430a276de9ef478596a1d33cb6f806db8c 516d45fcbdbdc4526bdd0f6979fe3ad929b82e1fd31247c7891528703ac16131 1c0a17a11a4b64dbe6082be807309a3c447b4861ea56155c1bfcf4d072746d38 7c92e1befd1cc5fa4a253716ac8441f6e29a351b7e449d3b8ef171cb6181db8e 83c64bf1c919c5e6ce25633d0eff2b7cda5b93a210b60372d984f862933e0b4e e2c3ad4bedf9e6d1122d418e97dfb743b1559a5af99befabed5bb7c6164028a8 8129a86056aa28f2af87110bb25732b14b77f18a7c820d9bcf1adcd2c7d97a7a

Startup Scripts

742b9912f329c05296e2f837555dceea0ae3e06e80aa178a9127692d25e21479 - September 2020, Windows script file 04910322c2e91d58e9ed3c5bcc3a18be1ba1b5582153184d1f5da3d9c42bac15 - January 2021, CHM file aac62b80b790d96882b4b747a8ed592f45b39ceadd9864948bb391f3f41d7f9f - January 2021, CHM file f946e1c690fc2125af4ad7d3d1b93c6af218a82d55a11a5a6ee5a9b04a763e7f - January 2021, CHM fiel 9cd7622ade7408c03e0c966738f51f74f884fbafdf3fe97edf4be374a7fb1d77 - November 2020, CHM file 5415bcc4bffa5191a1fac3ce3b11c46335d19f053f5d9d51a10f4ed77393ed82 - October 2020, CHM fle

Download Mixed Powershell Loaders

0eef444f062ea06340ca7ef300cb39c44a6cdf7ead2732bb885d79f098991cb8 df929834de2b10efaa8b2cb67c71ae98508cfb79f22213ee24aedc38a962ccb5

DLL Loaders

49fc4103d8747de341b9d3cd08f05c83f2e6943215df6939d02c7c3099345343 39dbe72ea847012243e4642d766fd4cf6fe138302cbfba67c65088b2cdefc1f4 a16fa0a14f0d20b66af550e3cdb0b60f8ffb965415404df6cc8164e62dfbe124 da256158ac0d7dc031b2541f9b7486d9822a402b6e9c5176c2ec2ed717592fbf

Masslogger Payload

2487b12f52b803f5d38b3bb9388b039bf4f58c4b5d192d50da5fa047e9db828b

For more detailed technical information and analysis, you can visit CISCO website in the following.