skip to Main Content

Cybercrime, MassLogger hits with campaigns on compressed files

Technical analysis by the Malware Hunter JAMESWT

MassLogger still attacks today with two campaigns that rely on compressed files. One conveys the malware through an executable within a .7z file and the other with a CHM in a .R15 or .R04 attachment

MassLogger still attacks today with two different malspam campaigns, based on the usual fake invoice or document to be signed and compressed files. In the first email (taken over by abuse.ch) there is a .7z attachment, containing an executable that contacts a url from which a fake image is downloaded. This, at the moment of decoding, launches the malware infection chain. In the second, the final process is identical (fake photo that starts the infection), but instead of the executable there is a CHM (Microsoft Compiled HTML Help, taken over by MasterToba) file and the attachment is an R15 or R04 file. The keylogger steals access and sensitive data, which are transmitted to C2 servers via ftp.

The exe file email

The CHM file email

Exe file email DNS HTTP/HTTPS requests / Connection

CHM file email DNS HTTP/HTTPS requests / Connection

 

Back To Top