A new keylogger called “Mass Logger” is currently being tracked by Cofense Intelligence and security researchers believe that it could significantly impact the larger keylogger market as well as the phishing threat landscape.
Keloggers make up the largest volume of unique phishing campaigns by malware type today and they continue to grow in both popularity and sophistication.
The reason that Cofense is so concerned about Mass Logger is due to how quickly the malware is updated. Its author consistently updates and improves Mass Logger and this allows cybercriminals deploying the malware to overcome security measures taken to detect and defend against it. This rapid development also allows the malware’s creator to quickly add features in response to customer feedback.
Cofense Intelligence has identified a campaign that used an attached GuLoader executable to deliver an encrypted Mass Logger binary. GuLoader itself is a popular malware delivery mechanism that downloads encrypted payloads hosted on legitimate file sharing platforms. The email used in the campaign was also recently seen in an Agent Tesla keylogger campaign which could indicate that some cybercriminals have already decided to switch from using Agent Tesla to using Mass Logger.
Mass Logger’s creator, known as NYANxCAT, is also responsible for several other well-known malware types including LimeRAT, AsyncRAT and other remote access trojans. NYANxCAT’s malware is usually feature rich and easy to use which allows for easy adoption by amateur threat actors. However, many of the features incorporated into Mass Logger are quite advanced such as as its USB spreading capability.
NYANxCAT continues to improve the functionality of Mass Logger through updates and recently, 13 updates were released in only a three-week period. In patch notes, NYANxCAT explained that new targets have been added for the keylogger’s credential stealing functionality and that measures have been taken to reduce automated detection.
Sophisticated features help set Mass Logger apart from other common malware. For example, it includes a function that allows cybercriminals to search for files with a specific file extension and exfiltrate them.
To defend against Mass Logger and other similar threats, Cofense recommends that network admins watch out for FTP sessions or emails sent from local networks that do not conform to their organization’s standards.