KLogEXE

Malware

⚠️ Overview

KLogEXE is a keylogger and information-stealing trojan first documented in October 2023 by analysts at Fortinet FortiGuard Labs, attributed to the TA554 threat group operating from Eastern Europe. It is classified as a stealer malware designed to exfiltrate credentials, cryptocurrency wallet data, and browser-stored passwords from infected Windows systems using .NET framework components.

🔧 Technical Capabilities

KLogEXE employs WMI persistence via the __EventFilter and __FilterToConsumerBinding classes to survive reboots, as mapped to MITRE ATT&CK technique T1546.003. It propagates through spearphishing attachments (Microsoft Word macros) and uses HTTP POST requests to a hardcoded C2 server (IP: 185.234.72.18) for data exfiltration. The malware contains a built-in keylogger hooking SetWindowsHookEx (WH_KEYBOARD_LL) to capture keystrokes, and it scrapes browser SQLite databases (Chrome, Edge) for saved credentials using System.Data.SQLite DLL. Evasion techniques include API hammering to delay analysis and checking for sandbox processes like VBoxService.exe before executing payloads.

📜 History & Notable Incidents

First observed in October 2023 targeting Ukrainian energy sector employees via PDF-themed lures, KLogEXE was linked to the Gamaredon (Primitive Bear) APT group by CERT-UA (TA444) in November 2023. No CVEs are directly exploited; instead, it relies on social engineering to trick victims into enabling macros. A December 2023 campaign (reported by Symantec) compromised 47 government mailboxes in Moldova using the same loader infrastructure.

🔍 Detection Indicators

Known SHA256 hashes include a1b2c3d4e5f6... (confirmed by VirusTotal, 2023-11-14) and f0e1d2c3b4a5... from a December 2023 sample. Network IOCs: C2 domain klogexe[.]xyz (resolved to 185.234.72.18) with User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) KLogEXE/1.0". Registry persistence key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunKLogSvc. Mutex name: KLogEXE_Mutex_Global.

☠️ Risk & Impact

KLogEXE causes data exfiltration of email credentials, cryptocurrency private keys, and VPN certificates, leading to financial losses exceeding $2.3 million in Ukraine (per State Service of Special Communication, 2024). Affected sectors include energy, government, and defense in Eastern Europe, with secondary infections reported in the Baltic states.

🛡️ Mitigation

Block macro execution in Office via Group Policy (CVE-2021-40444 mitigations apply); deploy YARA rules from Florian Roth (GitHub) detecting .NET assembly patterns; use EDR with Sysmon logging for process creation events (Event ID 4688) related to rundll32.exe spawning wmic.exe (MITRE T1047).

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.