In early 2021, security researchers discovered a malware campaign that targeted Windows computers to steal login credentials for several popular applications like Discord, Microsoft Outlook, most of the major web browsers, NordVPN, and many others. It achieves this via a multiple-stage ‘fileless’ attack protocol.
According to Cisco Talos research team member Vanja Svajcer, the malware is a variant of an existing trojan called MassLogger. “Although operations of the MassLogger trojan have been previously documented, we found the new campaign notable for using the compiled HTML file format to start the infection chain,” Svajcer explained in a blog post.
The malware initiates its attack scheme from inside the system’s memory, which makes it fileless, while the delivery of the payload comes via a phishing email. The malware’s code is hidden inside a compressed RAR archive that bears an unusual filename extension. When the phishing email is opened, it begins the process of injecting malware into system RAM.
Both home and business systems are at risk, as this type of malware is capable of easily slipping under the radar right now as ransomware attacks are getting more publicity.
“It is important to keep in mind that crimeware actors are still active and can inflict significant damage to organizations by stealing users’ credentials. The credentials themselves have value on the dark web and actors sell them for money or use them in other attacks.,” Svajcer writes.
Cisco Talos believes that the recent MassLogger campaign that started in January of 2021 is mostly focused on organizations in Turkey, Latvia, and Italy, for the time being. They previously observed similar attacks using older versions of MassLogger elsewhere globally.
This hacking campaign, which relies on phishing emails, can be easily avoided by utilizing smart computing habits, being on the lookout for suspicious emails containing unsolicited attachments. Now is a great time to remind friends and family to do the same.
If you are still having trouble, consider contacting remote technical support options.