From the emails that Cisco Talos has spotted, it looks like the malware campaign has specific business targets in mind. In some emails, the threat actor tried to make the message appear more legitimate by adding in the email footer ‘Shipped with Genius Scan for iOS’.
And while these messages may seem innocuous at first they come with a malicious HTML file attachment. This RAR attachment runs JavaScript code which when triggered begins the Masslogger infection process.
Masslogger was first released in April 2020, and is designed mainly to steal credentials from browsers but can also target messaging applications and email clients. Credentials that Masslogger steals can then be sold on the DarkWeb, where they can fetch a high price.
The latest malware campaign that Cisco Talos spotted began in January and has mainly been spotting in Turkey, Italy or Latvia. Some emails that attackers have sent out have been sent in English though.