Hackers Use VBScript Files to Deploy Masslogger Credential Stealer Malware
Seqrite Labs has uncovered a sophisticated variant of the Masslogger credential stealer malware being distributed through VBScript Encoded (.VBE) files.
This advanced threat, which likely spreads via spam emails or drive-by downloads, operates as a multi-stage fileless malware, heavily exploiting the Windows Registry to store and execute its malicious payload without writing files to disk.
According to Seqrite Blog Report, this evasive technique poses a significant challenge to traditional antivirus and signature-based detection methods, requiring advanced behavioral monitoring and registry anomaly detection to combat it effectively.
.png
"Hackers Use VBScript Files to Deploy Masslogger Credential Stealer Malware 2")
Sophisticated Fileless Attack
The infection chain begins with a .VBE file, which, once decoded, reveals layers of obfuscation and modular routines designed to conceal its true functionality.
Upon execution, the script sets up an intricate environment in the Registry under the path “HKCUSoftware”, writing multiple hard-coded keys and values some of which remain encoded until runtime to prepare for the deployment of its payload.
The malware’s operation unfolds through a meticulously crafted multi-stage process, starting with the preparation of registry entries via subroutines like AKAAU() and XSSAY(), which store encoded data and split the final Masslogger payload into 25,000-character chunks across segmented registry paths for stealthy persistence.
It establishes persistence using a Windows scheduled task named after a registry key (esBbIgyFlZcXjUl), set to trigger every minute from the infection date, executing a .VBS script that simulates user input to PowerShell for in-memory payload loading.
Data Exfiltration Tactics
The malware deploys two stagers: Stager-1, a small .NET executable (~14KB) retrieved from the Registry, loads Stager-2, which then extracts the final payload and injects it into a target process like “AddInProcess32.exe” via process hollowing.
Notably, the malware checks for system protection status by querying security-related registry keys to detect installed antivirus tools, halting execution if multiple protections are present.
It also exhibits geo-targeted behavior, attempting to download additional payloads for French systems from a hardcoded URL (now inaccessible).
The final Masslogger payload targets credentials from browsers like Chrome and email clients, harvesting login data, keylogging, and monitoring user activity, before exfiltrating stolen information through FTP, SMTP, or Telegram Bot API channels using hard-coded credentials or structured email attachments.
At the end of its lifecycle, it terminates processes like conhost.exe and PowerShell.exe to erase traces of its activity.
This fileless approach and multi-stage execution underscore the evolving sophistication of credential stealers, urging defenders to adopt dynamic, behavior-based detection strategies to mitigate such threats.
Indicators of Compromise (IoC)
| Component | MD5 Hash |
|---|---|
| .VBE File | 29DBD06402D208E5EBAE1FB7BA78AD7A |
| .VBS File | F30F07EBD35B4C53B7DB1F936F72BE93 |
| Stager-1 | 2F1E771264FC0A782B8AB63EF3E74623 |
| Stager-2 | 37F0EB34C8086282752AF5E70F57D34C |
| MassLogger Payload | 1E11B72218448EF5F3FCA3C5312D70DB |
| URL | hxxps://144.91.92.251/MoDi.txt |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
