Cybercriminals Use VBScript to Deploy Masslogger Credential Stealer Malware

Security researchers at Seqrite Labs have uncovered a new wave of sophisticated cyberattacks where cybercriminals utilize encoded VBScript (.VBE) files as the initial infection vector for deploying the Masslogger credential stealer malware.

This campaign exemplifies the evolving threat landscape, with attackers leveraging advanced, multi-stage, fileless techniques that exploit the Windows Registry and scripting environments to bypass traditional security measures.

Infection and Initial Tactics: VBScript’s Obfuscation and Registry Abuse

The attack chain begins when victims are tricked into opening a .VBE file—likely distributed via spam emails or malicious advertisements.

The .VBE file format, encoded using Microsoft’s built-in script encoding, is specifically chosen to deter casual analysis and evade detection by less sophisticated security tools.

Once decoded, the script reveals a series of obfuscated modular routines designed to set up a stealthy execution environment on the victim’s system.

At the heart of this technique is the abuse of the Windows Registry. The malicious script writes a series of encoded commands and configuration data to registry keys under HKCU\Software\esBbIgyFlZcXjUl. These values include:

• Obfuscated PowerShell commands: Stored under value names such as “instant” and “v”, these are later deobfuscated and executed to load .NET stagers directly into memory.
• Target process selection: The registry value “i” specifies the target process for injection, typically pointing to legitimate Microsoft files like “AddInProcess32.exe”, which is located in the .NET Framework directory.
• Control flags: Values like “in” and “cn” are used as control flags for managing the execution flow and processes, such as killing running processes like conhost.exe to cover tracks.

The script’s initial setup also reads the presence of “MSBuild.exe” in the system, indicating a higher degree of targeting and adaptability, as different stagers may be deployed based on the environment.

Advanced Fileless Execution and Persistence

After establishing the necessary registry entries, the malware proceeds to the next stage by storing the main payload in segmented chunks within additional registry values.

Each chunk is limited to 25,000 characters to fit within registry size limits, and is stored under subkeys such as HKEY_CURRENT_USER\SOFTWARE\esBbIgyFlZcXjUl\donn\segment*.

To ensure persistent execution, the malware sets up a scheduled task using Windows Task Scheduler.

The task, named after the registry key, is programmed to execute a VBS script at regular intervals, ensuring that the malware can persist even after reboots.

The script performs a periodic check for certain registry flags and, when triggered, executes malicious commands often using simulated user input to run PowerShell scripts.

This user input simulation is achieved using the .SendKeys method, which sends keystrokes directly to the active window, making the attack appear more legitimate and less detectable.

The malware also employs advanced evasion tactics. It checks for the presence of security products by querying well-known registry keys where anti-virus and security software register themselves, such as HKLM\SOFTWARE\Microsoft\Security Center\Provider\Av.

If multiple security products are detected, the malware may halt its execution to avoid detection.

Payload, Data Harvesting, and Exfiltration

Once the execution environment is prepared, the malware loads .NET assemblies directly from the registry, reversing, concatenating, and decoding stored chunks to reconstruct the final Masslogger payload in memory.

This process is completed without ever writing the executable to disk, making the attack highly evasive.

The Masslogger payload is then injected into a legitimate process (e.g., AddInProcess32.exe) using process hollowing, making it appear as a standard system process while it carries out its malicious activities.

The malware harvests credentials from a wide range of browsers and email clients, including Chrome, Firefox, Edge, Opera, Outlook, and Thunderbird.

It utilizes SQLite database queries to extract saved usernames, passwords, and autofill data, and also captures keystrokes, clipboard content, and screen snapshots to gather additional data for potential theft.

For customized targeting, the malware checks the system’s locale. If the system is configured for the French language, it attempts to download a secondary payload from a remote server, further demonstrating its adaptability to targeted environments.

To exfiltrate stolen data, Masslogger uses multiple channels:

• FTP: Uploads stolen credentials as .txt files to hardcoded FTP servers.
• SMTP: Constructs and sends emails containing stolen data using compromised mail servers.
• Telegram: Sends captured data as documents via the Telegram Bot API, including metadata about the victim’s system.

Security teams are advised to monitor for suspicious registry activity, especially under HKCU\Software\, and to enable PowerShell logging for detection of in-memory attacks.

Behavioral detection mechanisms that look for anomalous process injection patterns and scheduled task creation are also recommended.

Indicators of Compromise (IoC’s):

File MD5:

.VBE: 29DBD06402D208E5EBAE1FB7BA78AD7A

.VBS: F30F07EBD35B4C53B7DB1F936F72BE93

Stager-1: 2F1E771264FC0A782B8AB63EF3E74623

Stager-2: 37F0EB34C8086282752AF5E70F57D34C

MassLogger Payload: 1E11B72218448EF5F3FCA3C5312D70DB