Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry

Description

A sophisticated variant of the Masslogger credential stealer malware has been identified spreading through .VBE files. This multi-stage fileless malware heavily relies on Windows Registry to store and execute its malicious payload. The infection begins with a .VBE file, likely distributed via spam email or drive-by downloads. The malware sets up registry keys for storing commands, stager configurations, and the final payload. It establishes persistence through a scheduled task and uses techniques to simulate user input. The malware employs multiple stagers to decode and load the final Masslogger payload, which is injected into the AddInProcess32.exe process. The payload targets multiple web browsers and email clients to steal credentials and sensitive information, with capabilities including keylogging, screen capture, and data exfiltration via FTP, SMTP, or Telegram.