Rapidly evolving keylogger malware has some security experts worried

keylogger
(Image credit: Shutterstock)

A new keylogger that could have a significant impact on web security is being carefully tracked by researchers.

The main worry about this keylogger -- called Mass Logger by its discoverers -- is due to the frequency at which it is being updated by its creator.

A keylogger is software or hardware that logs and saves whatever's typed into a keyboard, often in the aim of stealing passwords, usernames or other sensitive information. Keylogging malware is often deployed by spyware or in phishing attacks.

Research lab Cofense Intelligence wrote in a blog post that the author of Mass Logger is consistently updating and improving the malware, making it easier for the malware to bypass security measures designed to mitigate such threats.

Another concern is that the author is able to quickly add new features after receiving feedback from customers (yes, malware developers have customers), which will likely make the malware popular among cybercriminals. 

Sophisticated malware

Max Gannon of Cofense Intelligence wrote that one malware campaign used an attached GuLoader executable to deliver an encrypted Mass Logger binary. 

He explained: “GuLoader has recently risen to prominence as a malware delivery mechanism which downloads encrypted payloads hosted on legitimate file-sharing platforms. 

“The email used to exfiltrate data in this campaign was also recently seen in an Agent Tesla keylogger campaign, indicating that some threat actors may already be switching from Agent Tesla to Mass Logger.”

Mass Logger was created by a developer called NYANxCAT, who is also behind a range of other notorious malware. These include LimeRAT, AsyncRAT and various other RAT variants. (RAT is short for remote-access Trojan, malware that pretends to be benign but which creates a backdoor into your machine after you open the file.)

Rich, easy-to-implement malware

Gannon said NYANxCAT's malware is feature rich and easy-to-use so that it can be easily implemented by cybercriminals, who don't always have the skills to develop their own malware. But what’s interesting is that Mass Logger is already rather advanced. 

“Despite this relatively low entry bar, many of the features incorporated into Mass Logger are advanced, such as its USB spreading capability,” Gannon wrote. 

“The capable actor behind these malware families has demonstrated an investment in Mass Logger, improving the functionality of the malware with 13 updates in only a three-week time period.”

He also said Mass Logger can steal credentials, bypass automated detection and search for specific file extensions and then exfiltrate them.

To mitigate these threats, Gannon recommends that network defenders watch for FTP sessions or emails sent from the local network that do not conform to your organization’s standards, tune sandbox systems to look for anti-analysis and evasion techniques and disable password-saving in applications like Firefox.

TOPICS

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Malware & Adware
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
PayPal logo on iPhone
Watch out! Scammers are using this PayPal setting to take over your PC
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Monday, March 17 (#645)
iPhone 17 Air render
New leaked iPhone 17 dummy units show off super-thin iPhone 17 Air with this surprising design tweak
Simone Ashley and Hero Fiennes Tiffin in "Picture This" now streaming on Prime Video
Prime Video top 10 has 3 must-watch movies — including a bubbly romcom starring 'Bridgerton's' Simone Ashley
(L-R) Josh Hartnett as Cooper and Ariel Donoghue as Riley in "Trap"
Netflix top 10 movies — here’s the 3 worth watching right now
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #379 (Monday, March 17 2025)
iOS 19 logo on an iPhone
Apple WWDC 2025: iOS 19 and everything we know so far