In this Malware Analysis Spotlight, the VMRay Labs Team will examine MassLogger, a Spyware/Stealer that was first publicly observed in-the-wild at the end of April. During our analysis, we monitored a significant amount of behavioral matches for techniques that MassLogger uses to discover the host machine and to steal sensitive data.
View the VMRay Analyzer Report for MassLogger
MassLogger is delivered by opening a malicious Word Document (Figure 1) that exploits the vulnerability in the equation editor (CVE-2017-11882/CVE-2018-0802), which allows for the takeover of the control flow.
Figure 1: Screenshot of the document.
This leads to the download of the second stage payload from hxxp://sadiqgill[.]com/assets/fonts/EIC[.]exe (Figure 2) which is saved locally in %appData% and executed.
Figure 2: VMRay Analyzer – Network behavior of payload download
The secondary payload is obfuscated with a packer written in Delphi which, in one of its execution stages, injects into a newly created instance of Notepad.exe.
The injected code takes care of establishing persistence by dropping a VBS script in the Windows startup directory (Figure 3). VMRay Analyzer detects the persistence and automatically schedules a reboot.
| Side Note |
|---|
| In some cases, the malware author might try to evade sandbox-based monitoring by scheduling the execution of the malicious payload for some later time. VMRay Analyzer makes sure to monitor such approaches like task scheduling and persistence (waiting for a reboot) and automatically schedules a reboot to make sure all possible malicious behavior has been completed. |
Figure 3: VMRay Analyzer detects the persistence (top) of the script that executes the payload (bottom)
At this point, the actual behavior of MassLogger starts to be visible. It collects information about the host machine using various techniques, including WMI queries to gather data on the operating system, processor, video controller, and antivirus (Figure 4).
Figure 4: Excerpt of VMRay function strings list (left) and Discovery VTI Matches (right)
As the next step, MassLogger attempts to steal information from various web browsers, FTP clients, and email clients among others (Figure 5).
Figure 5: VTI matches showing the credential-stealing attempts.
MassLogger also starts to log keystrokes. The spyware installs a “WH_KEYBOARD_LL-type” hook procedure which allows it to monitor keyboard input events. A hook is an operating system feature that can enable processes to intercept system messages such as alerts, process information, and physical inputs. MassLogger gathers information about the computer’s keyboard and then uses the hook to log every key that the user presses (Figure 6).
Figure 6: VTI that shows the keylogger ability.
The gathered information is stored in a log file (Figure 7) and bundled together with the screenshot to an archive and sent via mail[.]privateemail[.]com. MassLogger exfiltrates the information via SMTP (Simple Mail Transfer Protocol). As part of this SMTP exchange, an encrypted TLS session is established with the mail server (Figure 8). MassLogger then sends the stolen information to the attacker in this cryptographically secure channel.
Figure 7: Excerpt of the log file
Figure 8: PCAP from the VMRay Analyzer Report – Initial SMTP communication for data exfiltration
Conclusion
Despite MassLogger being highly obfuscated, we see a multitude of behavioral indicators in the VMRay Analyzer Report, giving us the confidence to understand the full scope of the attack.
IOCs
| Hashes | cc4e6e42f73500c72d0d0820b4a3c131e2f8fce4d7d730eb8f9fc1b5cc3e882e
5caf50c8907738643bd5648927c52306bf9177cb178065d1ee08590a0d37f0c9 |
| Network | sadiqgill[.]com
67[.]23[.]226[.]159 |
