Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry

SUMMARY :

A sophisticated variant of the Masslogger credential stealer malware has been identified spreading through .VBE files. This multi-stage fileless malware heavily relies on Windows Registry to store and execute its malicious payload. The infection begins with a .VBE file, likely distributed via spam email or drive-by downloads. The malware sets up registry keys for storing commands, stager configurations, and the final payload. It establishes persistence through a scheduled task and uses techniques to simulate user input. The malware employs multiple stagers to decode and load the final Masslogger payload, which is injected into the AddInProcess32.exe process. The payload targets multiple web browsers and email clients to steal credentials and sensitive information, with capabilities including keylogging, screen capture, and data exfiltration via FTP, SMTP, or Telegram.

OPENCTI LABELS :

process hollowing,data exfiltration,obfuscation,vbscript,credential stealer,windows registry,persistence,masslogger,fileless malware


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry