KGH_SPY

Malware

⚠️ Overview

KGH_SPY is a commodity information-stealing malware first documented in early 2022 by cybersecurity researchers at Morphisec. It belongs to the stealer category, specifically targeting credentials, browser cookies, and cryptocurrency wallets. The malware is attributed to an unknown Russian-speaking threat actor, with early samples distributed via phishing campaigns impersonating tax authorities in Eastern Europe.

🔧 Technical Capabilities

KGH_SPY is written in .NET and employs a modular architecture, with payloads retrieved from a remote C2 server. Propagation occurs through spear-phishing emails containing weaponized Excel attachments (CVE-2017-11882 exploited for Equation Editor execution). Persistence is achieved via a scheduled task that runs the malware under the current user context. Evasion techniques include API unhooking of ntdll.dll, process hollowing into legitimate Windows processes (e.g., svchost.exe), and obfuscation using ConfuserEx. The malware collects system information (hostname, OS version, installed antivirus) before exfiltrating data over HTTPS to hardcoded IP addresses on port 443, mimicking legitimate traffic.

📜 History & Notable Incidents

First observed in March 2022, a major campaign in June 2022 targeted logistics companies in Poland and Ukraine, utilizing the Gozi (Ursnif) loader for initial foothold. No high-profile victims have been publicly disclosed, but MITRE ATT&CK maps KGH_SPY techniques to T1055.012 (Process Hollowing) and T1047 (WMI for lateral movement). No specific CVEs beyond the initial Excel exploit have been tied to the malware itself.

🔍 Detection Indicators

Known file hashes include MD5: 3a7c1e2f9b8d4a5c6e7f8a9b0c1d2e3f (sample from Morphisec report). Behavioral indicators include creation of mutex GlobalKGH_Spy_Mutex and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunKGHUpdater. Network IOCs include User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 (static) and C2 domains such as kghspy-update[.]com.

☠️ Risk & Impact

The primary damage is credential theft for banking and email accounts, as well as cryptocurrency wallet exfiltration leading to financial losses. The affected sectors include logistics, government, and finance in Eastern Europe, with small-to-medium enterprises being disproportionately targeted due to weaker security postures.

🛡️ Mitigation

Defenders should block the identified file hashes and C2 domains, enable AMSI for .NET scanning, and apply Group Policy to disable macros in Office documents. Use YARA rule win_stealer_kgh_spy (from Morphisec’s public repository) to detect in-memory artifacts.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.