It Sits in the Registry, Runs Every Minute, and Steals Everything You’ve Ever Had
No files, no traces — yet all your passwords are already in someone’s Telegram channel.
Hackers have once again utilized lesser-known but highly effective infection techniques — this time by disguising malware as VBScript files with the .VBE extension. The campaign, discovered by Seqrite Labs, involves an advanced version of the Masslogger malware, showcasing increasingly sophisticated phishing attacks in which files are not saved to disk but fully operate via the Windows registry.
How the Attack Works
The attack begins with the execution of an encrypted .VBE file, which is decrypted in memory and employs multi-layered obfuscation to hinder analysis. The malicious code then creates a complex structure of keys and values in the HKCU\Software registry branch, where fragments of the main malware module, 25,000 characters long, are stored. To ensure persistent presence, the malware sets a task in Windows Task Scheduler, which runs the script every minute, simulating user input and triggering the main payload through PowerShell.
Multi-Stage Installation Process
- First Stage: A small .NET binary (Stager-1) is extracted from the registry, which activates the next component (Stager-2).
- Second Stage: This completes the deployment of the main Masslogger module via Process Hollowing, a technique where the malware injects itself into the legitimate process AddInProcess32.exe, allowing it to operate without detection by advanced security systems.
Data Theft and Exfiltration
Once deployed, Masslogger focuses on stealing sensitive information, including:
- Login credentials and passwords from browsers (including Chrome)
- Email clients
- Keystroke logging
- Tracking user activity
The stolen data is then exfiltrated using FTP, SMTP, or through the Telegram Bot API, with the attacker embedding access credentials for these channels into the malware's code.
Anti-Analysis and Targeting Features
Masslogger is equipped with anti-analysis mechanisms:
- It checks for the presence of active antivirus software by querying the registry. If it detects multiple antivirus systems, it terminates execution.
- Geo-targeted behavior: When the malware detects a French system, it attempts to download additional payloads from a hardcoded URL, which was unavailable during analysis.
Final Phase: Cleaning Up
In the final phase, the malware erases all traces of its activity:
- It terminates the conhost.exe and PowerShell.exe processes to clear command histories.
- It removes any remaining traces of its presence from memory.
Key Takeaways for Defense
This attack underscores the critical importance of behavioral analysis and registry monitoring as essential parts of a robust defense strategy. Signature-based methods are ineffective against such multi-layered, dynamically executing threats, especially in environments where no files are left on disk. The new version of Masslogger highlights how even old technologies can pose significant threats when combined with clever technical ingenuity.
