MASS Logger Trojan, Windows credential stealer is back with an upgrade

February 24, 2021
MASS logger trojan windows credential stealer keylogger malware

MASS Logger, a famous credential stealer on the Windows platform that steals credential data from Chrome, Outlook and instant messaging apps, has been detected in recent attacks last week by cybersecurity experts. The keylogger was used against users in Turkey, Latvia and Italy – the infections have similarity to the cyber-attacks last September to November 2020 that was targeted towards Windows users in Bulgaria, Hungary, Romania, Spain, Lithuania and Estonia.

This trojan was first detected in the wild in April last year, and since then, it seems like the malware operators have been making improvements on its malicious codes.

Unlike the previous MASS Logger trojan attacks, the sample on the latest attack uses a Microsoft Compiled HTML help file to start the infection chain. The Microsoft help file format can be used to utilize active script components, JavaScript in this case, which will be used by the threat actors to launch the keylogger malware.

The infection chain will start with an email containing a message tailored to look legitimate and comes with a RAR attachment file with an unusual filename extension such as” docxxxxxxxxxxx.r15″. This file type is a RAR archive split into multi-volume, which is implemented to trick and bypass security applications.

Once an attachment is opened by unsuspecting victims, a pop-up message “Customer Service” will be displayed on the screen.


Simultaneously, a Javascript code runs in the background that creates the HTML page containing a PowerShell downloader to fetch the loader that will launch the MASS Logger payload.


This malware can exfiltrate private data via FTP, SMTP and HTTP. This latest version has implemented features to steal login credentials from Discord, NordVPN, Pidgin Messenger, Outlook, Thunderbird, Firefox, QQ browser, Chrome, Opera, Edge and Brave browsers. This trojan can also work as a keylogger, but this detected variant has the function disabled based on security researchers’ analysis.

Additionally, this MASS Logger is entirely executed via Memory, so to detect this threat, it is essential to conduct continuous background application checks and memory scans dedicated to malware detection.

About the author

Leave a Reply