Skip to main content

Beware the Masslogger Trojan — it's here to steal your passwords

A rendering of a digital Trojan horse.
(Image credit: posteriori/Shutterstock)

Look out, internet users — powerful Windows malware is aiming to steal your most sensitive passwords. 

The malware, called Masslogger, is a Trojan horse that arrives as an email attachment. It tries to steal usernames and passwords from Microsoft Outlook, the Thunderbird email client, NordVPN, Discord and other email and chat services, as well as from the password managers built into Google Chrome, Mozilla Firefox, Microsoft Edge and other browsers.

Victims whose passwords are stolen may see their email accounts and chat accounts hijacked, as well as accounts whose passwords were stored in their browsers. 

The current malware campaign, as detailed by Cisco Talos researcher Vanja Svajcer in a blog post yesterday (Feb. 17), primarily targets business accounts, though it won't spare personal accounts. The malware tries to evade detection by being "fileless," or existing almost completely only in a computer's memory.

We're not going to get into the technical aspects, but the infection process is a Rube Goldberg machine of seven or eight individual steps. 

The user opens a compressed email attachment, which unfolds into a compressed HTML file, which contains JavaScript, which opens the Windows PowerShell system-management interface, which downloads a fake image file, which holds Microsoft .NET assembly code, which is compiled by PowerShell into runtime malware that exists only in system memory.

Got all that? The only trace this attack will leave on a machine is the original email attachment, which looks harmless until you begin the infection process. Only the best antivirus software and other defensive mechanisms that examine what's going on in system memory will catch it.

How to protect yourself from Masslogger

For the moment, this Masslogger campaign is targeting email users in Turkey, Latvia and Italy. Previous versions of Masslogger hit Spain, Bulgaria, Romania, Estonia and Lithuania in the fall of 2020. It may be only a matter of time before Masslogger spreads to the wealthiest countries in Europe and jumps to North America.  

To avoid infection, run one of the best antivirus software programs and be very wary of unsolicited email attachments, even from people you know. Before you open any attachment, save it to a spot in your file system, then right-click (or control-click on a Mac) the item and scan it with your antivirus software.

Also, use a third-party password manager instead of saving passwords in your browser. Google and Mozilla are constantly trying to make their browser password managers safer, but malware still finds a way in far too often.