Malware Analysis Spotlight: MassLogger’s Noisy Stealing AttemptsAugust 11, 2020 | Malware Analysis
In this Malware Analysis Spotlight, the VMRay Labs Team will examine MassLogger, a Spyware/Stealer that was first publicly observed in-the-wild at the end of April. During our analysis, we monitored a significant amount of behavioral matches for techniques that MassLogger uses to discover the host machine and to steal sensitive data.
MassLogger is delivered by opening a malicious Word Document (Figure 1) that exploits the vulnerability in the equation editor (CVE-2017-11882/CVE-2018-0802), which allows for the takeover of the control flow.
This leads to the download of the second stage payload from hxxp://sadiqgill[.]com/assets/fonts/EIC[.]exe (Figure 2) which is saved locally in %appData% and executed.
The secondary payload is obfuscated with a packer written in Delphi which, in one of its execution stages, injects into a newly created instance of Notepad.exe.
The injected code takes care of establishing persistence by dropping a VBS script in the Windows startup directory (Figure 3). VMRay Analyzer detects the persistence and automatically schedules a reboot.
|In some cases, the malware author might try to evade sandbox-based monitoring by scheduling the execution of the malicious payload for some later time. VMRay Analyzer makes sure to monitor such approaches like task scheduling and persistence (waiting for a reboot) and automatically schedules a reboot to make sure all possible malicious behavior has been completed.|
At this point, the actual behavior of MassLogger starts to be visible. It collects information about the host machine using various techniques, including WMI queries to gather data on the operating system, processor, video controller, and antivirus (Figure 4).
As the next step, MassLogger attempts to steal information from various web browsers, FTP clients, and email clients among others (Figure 5).
MassLogger also starts to log keystrokes. The spyware installs a “WH_KEYBOARD_LL-type” hook procedure which allows it to monitor keyboard input events. A hook is an operating system feature that can enable processes to intercept system messages such as alerts, process information, and physical inputs. MassLogger gathers information about the computer’s keyboard and then uses the hook to log every key that the user presses (Figure 6).
The gathered information is stored in a log file (Figure 7) and bundled together with the screenshot to an archive and sent via mail[.]privateemail[.]com. MassLogger exfiltrates the information via SMTP (Simple Mail Transfer Protocol). As part of this SMTP exchange, an encrypted TLS session is established with the mail server (Figure 8). MassLogger then sends the stolen information to the attacker in this cryptographically secure channel.
Despite MassLogger being highly obfuscated, we see a multitude of behavioral indicators in the VMRay Analyzer Report, giving us the confidence to understand the full scope of the attack.