Technical analysis by the Malware Hunter JAMESWT

The latest global MassLogger campaign exploits CHM files. The emails contain a compressed file with the file inside. If executed, it downloads a fake image that triggers the infection of the malware, which steals data and transmits it via ftp

The latest cybercrime global campaign to deliver MassLogger now hides in emails that take advantage of CHM. Attached to the email is a compressed file that contains a CHM (Microsoft Compiled HTML Help). If this is done, it downloads a fake .jpg image which, once decoded, activates the malware infection chain. The keylogger steals login credentials and sensitive data, which are transmitted to the C2 server via ftp. Moreover, the latest MassLogger campaigns hit only a few days ago. One with an executable inside the compressed attachment and the other with a JavaScript. The baits were fake product orders and the companies are the targets.

The text of the mail-trap

The flow of data exfiltrated via SMTP