Multilogin is an application designed to make it easier to log into multiple accounts on a single website or platform simultaneously. Recently, Zscaler ThreatLabz has come across a live phishing campaign that is targeting genuine Multilogin users by tricking the users into downloading a malicious installer. The installer is hosted on newly registered websites "multilogin-uk[.]com" and "multilogin-us[.]com" (registered on September 2nd 2021) which are a lookalikes of the legitimate website "multilogin[.]com". The threat actor has taken great care to match every detail, starting from website layout to the url pattern used for downloading the application, in order to impersonate as the legitimate website.
The malicious installer installs a stealer (named as multilogin), written in Dotnet, on the compromised machine. This stealer gathers sensitive information from the victim's system and sends it to its telegrambot in a zip format.
This blog aims to describe the behavior of the installer and the main functionalities of the stealer.
The below snapshot shows the delivery mechanism and attack chain of the malware.
As a first step, the threat actors have cloned the legitimate website, giving it a similar domain name, in order to trick the user into visiting the phishing website and downloading the malicious installer hosted on it. The below snapshot shows the difference between the fake and legitimate sites.
For the purposes of analysis, we will look at the Installer with MD5 hash: 9986d6836e6b4456fd38e7d5b036c727, which is an Inno package unsigned binary. The below snapshot shows the comparison between the installer downloaded from the fake site and the installer from the legitimate site.
Like the normal installer, the malicious installer creates a full environment, starting with registry changes, then creating required folders (explained later), for the effective execution of the malware. In order to achieve persistence on the compromised machine, the malicious installer creates a shortcut file in the All Users startup folder as can be seen in the below snapshot.
It is to be noted that the installer drops the malware at the user’s selected installation path at the time of installing the application.
Required folders: The installer creates a folder named “Item” and the following sub-folders, which shall be checked and used by the malware later:
After successful installation, the final GUI (Graphical User Interface) comes up with an enabled check box to launch the application named as multilogin (hereinafter referred to as malware). After clicking the “Finish” button, the malware comes into play. Now, let's get into the code to understand the functionality of the malware.
Before starting stealing activities, the malware checks the required folders in the system and then executes its functions to collect information from the compromised machine, explained below:
1.) IP Address Information: Firstly, the malware collects the IP address by making a web request to “checkip.dyndns.org”and stores the collected information at “<Installation_Path>\Item\IPAddress\IPAddress.txt”, in the format <IP_Address>:<Country_Name>, as explained in the below snippet.
It is to be noted that the above code also acts as a checkpoint for an internet connection--that is, if the malware doesn’t get a response, then the malware crashes.
2.) User’s Login data:
The steps to gather the login data of the user are as follows:
3.) Autofill and Cookies:
The malware uses a similar mechanism to the one explained above to collect autofill and cookies information and stores the respective data in a file placed at <Installation_Path>\Item\Autofill\<Browser_name>Profile_<Integer>_AUTOFILL.txt> and <Installation_Path>\Item\cookies\<Browser_name>Profile_<Integer>_cookies.txt>, respectively. The below table depicts the targeted file and the sql queries used to extract the information.
Newly Created file Path
Decryption of bytes?
Select name, value FROM autofills
SELECT host_key, is_httponly, path, is_secure, expires_utc, name, encrypted_value, creation_utc FROM cookies order by host_key,creation_utc desc
The below snippet shows the format in which malware will store the related information.
Note:- Similar code and logic is there for stealing information from other browsers (except Firefox). The below snapshot shows the list of browsers targeted by the malware author.
<Browser>Service = Responsible for checking the targeted file location and then writing of the decrypted data.
<Browser>Decryptor= Responsible for decryption of the encrypted data
In the case of Firefox, the malware targets cookies.sqlite, signons.sqlite and logins.json files to carve out the sensitive information and stores the data in <Installation_Path>\Item\cookies\FFProfile_Cookies.txt and <Installation_Path>\Item\Password\FFProfile_PASSWORD_.txt respectively. It is to be noted that for decryption of encrypted data, the malware uses PK11SDR_Decrypt” API of nss3.dll.
After stealing all the data from different browsers, the malware then creates a zip file which shall be sent to the command and control (C2) server. The below code explains the same.
After zip creation, in order to transfer the zip file, the malware initiates C2 communication to its Telegram bot, using a hard-coded token. The snippets of the code are shown below.
After successfully performing the stealing activities, in order to leave no trace, the malware displays a pop-up with a false message to update the application and asks the user for confirmation to proceed ahead. Once the user responds, then the malware opens a legitimate link in the foreground and deletes the created zip file in the background, irrespective of the option chosen by the user. It means that even if the user selects “No,” the code will execute in the same pattern.
Zscaler's multilayered cloud security platform detects these indicators at various levels: Win32.Backdoor.MultiloginBot.
The Zscaler sandbox coverage is below:
Boot or Autostart Execution
Credentials from Password Stores
Exfiltration over Web Services
Command and Scripting Interpreter
Data from Local System
Archive Collected Data
Forge Web Credentials
Below are information on IOCs, including MD5 hashes and URLs, that should be blocked.