The email looks innocuous enough and may lead to a target clicking on a file that has been attached alongside the message. But therein lies the danger, with this attachment a malicious HTML file that runs Javascript and kickstarts the Masslogger infection process.
This latest variant of the malware is capable of stealing user credentials from a wide range of popular programmes. Applications highlighted include Google Chrome, Chromium-powered browsers like Microsoft Edge, Outlook, Discord and NordVPN.
Explaining what happens when your login credentials are stolen, Cisco Talos said: “Once the credentials from targeted applications are retrieved, they are uploaded to the exfiltration server with a filename containing the username, two-letter country ID, unique machine ID and the timestamp for when the file was created.
“Uploaded credential files begin with the information about the user and the infected system, configuration options and processes running, followed by the retrieved credentials delimited by lines containing targeted application names.”
So far this malware campaign hasn’t reached the UK or US, with regions such as Italy, Turkey and Spain targeted. And from the emails that Cisco Talos have seen, it appears that attackers have been aiming their sights at specific business targets.