Malware Analysis Spotlight: MassLogger’s Noisy Stealing Attempts

Aug 11th 2020

In this Malware Analysis Spotlight, the VMRay Labs Team will examine MassLogger, a Spyware/Stealer that was first publicly observed in-the-wild at the end of April. During our analysis, we monitored a significant amount of behavioral matches for techniques that MassLogger uses to discover the host machine and to steal sensitive data.

View the VMRay Analyzer Report for MassLogger

MassLogger is delivered by opening a malicious Word Document (Figure 1) that exploits the vulnerability in the equation editor (CVE-2017-11882/CVE-2018-0802), which allows for the takeover of the control flow.

 

Document

Figure 1: Screenshot of the document.

 

This leads to the download of the second stage payload from hxxp://sadiqgill[.]com/assets/fonts/EIC[.]exe (Figure 2) which is saved locally in %appData% and executed.

 

Network behavior

Figure 2: VMRay Analyzer – Network behavior of payload download

 

The secondary payload is obfuscated with a packer written in Delphi which, in one of its execution stages, injects into a newly created instance of Notepad.exe.

The injected code takes care of establishing persistence by dropping a VBS script in the Windows startup directory (Figure 3). VMRay Analyzer detects the persistence and automatically schedules a reboot.

 

Side Note
In some cases, the malware author might try to evade sandbox-based monitoring by scheduling the execution of the malicious payload for some later time. VMRay Analyzer makes sure to monitor such approaches like task scheduling and persistence (waiting for a reboot) and automatically schedules a reboot to make sure all possible malicious behavior has been completed.

 

Figure 3: VMRay Analyzer detects the persistence (top) of the script that executes the payload (bottom)

 

At this point, the actual behavior of MassLogger starts to be visible. It collects information about the host machine using various techniques, including WMI queries to gather data on the operating system, processor, video controller, and antivirus (Figure 4).

 

Figure 4: Excerpt of VMRay function strings list (left) and Discovery VTI Matches (right)

 

As the next step, MassLogger attempts to steal information from various web browsers, FTP clients, and email clients among others (Figure 5).

 

Figure 5: VTI matches showing the credential-stealing attempts.

 

MassLogger also starts to log keystrokes. The spyware installs a “WH_KEYBOARD_LL-type” hook procedure which allows it to monitor keyboard input events. A hook is an operating system feature that can enable processes to intercept system messages such as alerts, process information, and physical inputs. MassLogger gathers information about the computer’s keyboard and then uses the hook to log every key that the user presses (Figure 6).

 

VTI

Figure 6: VTI that shows the keylogger ability.

 

The gathered information is stored in a log file (Figure 7) and bundled together with the screenshot to an archive and sent via mail[.]privateemail[.]com. MassLogger exfiltrates the information via SMTP (Simple Mail Transfer Protocol). As part of this SMTP exchange, an encrypted TLS session is established with the mail server (Figure 8). MassLogger then sends the stolen information to the attacker in this cryptographically secure channel.

 

Figure 7: Excerpt of the log file

 

Figure 8: PCAP from the VMRay Analyzer Report – Initial SMTP communication for data exfiltration

 

Conclusion

Despite MassLogger being highly obfuscated, we see a multitude of behavioral indicators in the VMRay Analyzer Report, giving us the confidence to understand the full scope of the attack.

IOCs

Hashes cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e

5caf50c8907738643bd5648927c52306bf9177cb178065d1ee08590a0d37f0c9

Network sadiqgill[.]com

67[.]23[.]226[.]159

Autonomous Response to critical malware alerts

VMRay + Palo Alto Networks       JOINT WEBINAR