Conveyed through phishing emails, the Masslogger trojan's most recent variation is contained inside a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla's security research arm. Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.”
Masslogger is not an entirely new creation of the malware industry: Talos highlighted research by infosec chap Fred HK. He ascribed it to a malware underground persona who goes by the handle of NYANxCAT. Costs for Masslogger were apparently $30 for three months or $50 for a lifetime license. Cisco's analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.