Skip to main content

Rapidly evolving keylogger malware has some security experts worried

keylogger
(Image credit: Shutterstock)

A new keylogger that could have a significant impact on web security is being carefully tracked by researchers.

The main worry about this keylogger -- called Mass Logger by its discoverers -- is due to the frequency at which it is being updated by its creator.

A keylogger is software or hardware that logs and saves whatever's typed into a keyboard, often in the aim of stealing passwords, usernames or other sensitive information. Keylogging malware is often deployed by spyware or in phishing attacks.

Research lab Cofense Intelligence wrote in a blog post that the author of Mass Logger is consistently updating and improving the malware, making it easier for the malware to bypass security measures designed to mitigate such threats.

Another concern is that the author is able to quickly add new features after receiving feedback from customers (yes, malware developers have customers), which will likely make the malware popular among cybercriminals. 

Sophisticated malware

Max Gannon of Cofense Intelligence wrote that one malware campaign used an attached GuLoader executable to deliver an encrypted Mass Logger binary. 

He explained: “GuLoader has recently risen to prominence as a malware delivery mechanism which downloads encrypted payloads hosted on legitimate file-sharing platforms. 

“The email used to exfiltrate data in this campaign was also recently seen in an Agent Tesla keylogger campaign, indicating that some threat actors may already be switching from Agent Tesla to Mass Logger.”

Mass Logger was created by a developer called NYANxCAT, who is also behind a range of other notorious malware. These include LimeRAT, AsyncRAT and various other RAT variants. (RAT is short for remote-access Trojan, malware that pretends to be benign but which creates a backdoor into your machine after you open the file.)

Rich, easy-to-implement malware

Gannon said NYANxCAT's malware is feature rich and easy-to-use so that it can be easily implemented by cybercriminals, who don't always have the skills to develop their own malware. But what’s interesting is that Mass Logger is already rather advanced. 

“Despite this relatively low entry bar, many of the features incorporated into Mass Logger are advanced, such as its USB spreading capability,” Gannon wrote. 

“The capable actor behind these malware families has demonstrated an investment in Mass Logger, improving the functionality of the malware with 13 updates in only a three-week time period.”

He also said Mass Logger can steal credentials, bypass automated detection and search for specific file extensions and then exfiltrate them.

To mitigate these threats, Gannon recommends that network defenders watch for FTP sessions or emails sent from the local network that do not conform to your organization’s standards, tune sandbox systems to look for anti-analysis and evasion techniques and disable password-saving in applications like Firefox.