Masslogger is a highly obfuscated spyware/stealer malware family that the VMRay Labs Team has been tracking since 2020.. Masslogger typically arrives as a seemingly benign email attachment and follows an extremely complicated, multi-stage infection process that makes it particularly difficult to detect.
Once a system is fully infected, MassLogger can record all inputs a user makes on their keyboard. The primary target is typically usernames and passwords for mail clients like Microsoft Outlook, chat services like Discord, or even the password managers, which are built into major browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge.
Masslogger is typically delivered via a phishing email and is usually embedded in a seemingly benign Word document. The first stage of the infection takes advantage of a related pair of longstanding vulnerabilities which exploit have been described by Microsoft as memory corruption issues. Known as CVE-2017-11882 and CVE-2018-0802, these vulnerabilities are used to exploit a weakness in the equation editor that allows code to be remotely executed through the way objects are handled in memory, which in turn allows for the takeover of the control flow.
Once a Word document is opened, it leads to a complicated and multi-stage active infection process that includes a secondary payload download that’s typically obfuscated by one or more packers. It can also also feature dropping a VBS script injection into the Windows startup directory to ensure the infection persists after reboots.
Only once the full infection process is concluded does the intended behavior of Masslogger begin. Masslogger uses WMI queries to gather information on the host machine, including the operating system, CPU, video adaptors, and any antivirus protection. From there, it begins to spy, using system wide hooks to install a “WH_KEYBOARD_LL-type” procedure to intercept keystrokes inputted by the user. These keystrokes are stored in a log, attached with a screenshot, and encrypted before being secretly exfiltrated to the cybercriminals responsible for the attack via SMTP (Simple Mail Transfer Protocol), FTP (File Transfer Protocol) or HTTP.