New Mass Logger Malware Could Be Massive

Cofense Intelligence is tracking a recently released keylogger named “Mass Logger” which could significantly impact the keylogger market and the phishing threat landscape.

By Max Gannon

Today, keyloggers make up the largest volume of unique phishing campaigns by malware type, and they continue to grow in popularity and sophistication. One of the key concerns with Mass Logger is its updating speed. The author of Mass Logger consistently updates and improves the malware, which allows its operators to respond quickly to overcome security measures taken to detect and defend against it. Speedy development also allows the malware’s creator to quickly add features in response to customer feedback, which may lead to an increase in this malware’s popularity.

Speedy Development Could Spur Adoption

Advanced Functionality, With More Likely to Come

For example, Cofense Intelligence has identified a campaign that used an attached GuLoader executable to deliver an encrypted Mass Logger binary. GuLoader has recently risen to prominence as a malware delivery mechanism which downloads encrypted payloads hosted on legitimate file sharing platforms. The email used to exfiltrate data in this campaign was also recently seen in an Agent Tesla keylogger campaign, indicating that some threat actors may already be switching from Agent Tesla to Mass Logger.

The capable actor behind these malware families has demonstrated an investment in Mass Logger, improving the functionality of the malware with 13 updates in only a three-week time period. In patch notes, NYANxCAT references the addition of new targets for its credential stealing functionality and includes measures taken that would reduce automated detection. Based on these feature additions and improvements, it is likely that NYANxCAT will continue to invest in and update this keylogger.

The creator of Mass Logger, known as NYANxCAT, is responsible for several other well-known and prolific malware types, including LimeRAT, AsyncRAT, and other RAT variants. NYANxCAT’s malware tends to be feature rich and easy to use, allowing for easy adoption by amateur threat actors. Despite this relatively low entry bar, many of the features incorporated into Mass Logger are advanced, such as its USB spreading capability.

Get 3 FREE Months of Cofense Intelligence

Sophisticated features distinguish Mass Logger from other common malware. For example, it includes a function that enables a cyber-criminal to search for files with a specific file extension and exfiltrate them. In order to defend against Mass Logger and similar threats, network defenders should watch for FTP sessions or emails sent from the local network that do not conform to your organization’s standards. Also, tune sandbox systems to look for anti-analysis and evasion techniques and disable password-saving in applications like Firefox.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Like what you read in this blog? Cofense Intelligence customers received the IOCs associated with Mass Logger as well as a technical analytic writeup of the new keylogger. If you are not a current Cofense Intelligence customer, this is the time to take advantage of our free 90 day access offer, allowing you to receive even more detailed insights into phishing and malware threats that evade email gateways—yours free for 3 months.

This post was first first published on Cofense’s website by Cofense. You can view it by clicking here