⚠️ Overview

KSL0T is a previously undocumented information stealer and keylogger first analyzed by Zscaler ThreatLabz in November 2023. It is attributed to a financially motivated threat actor tracked as TA2799 (also known as Silent Skimmer) and primarily targets Brazilian financial institutions, though its distribution has since expanded globally. The malware belongs to the stealer category, focusing on credential theft and session hijacking.

🔧 Technical Capabilities

KSL0T is written in .NET and uses a multi-stage payload delivery via malicious ISO files distributed through phishing emails. It employs Process Hollowing (MITRE T1055.012) to inject into legitimate processes like explorer.exe for evasion. The malware captures keystrokes using SetWindowsHookEx (MITRE T1056.001) and exfiltrates stolen credentials via HTTPS POST requests to a command-and-control (C2) server. For persistence, KSL0T installs itself as a scheduled task (MITRE T1053.005) under the name OneDriverSync. It employs string obfuscation and API hashing to bypass signature-based detection, and uses a custom XOR cipher for configuration decryption. The malware also has a screen capture capability (MITRE T1113) and targets browsers such as Chrome, Firefox, and Edge to steal saved passwords and cookies.

📜 History & Notable Incidents

First observed in July 2023, KSL0T was linked to several attacks on Brazilian banks including Banco do Brasil and Bradesco during Q3 2023. Zscaler published a detailed analysis in Zscaler ThreatLabz on November 15, 2023, documenting its evolution from a simple keylogger to a multi-module stealer. No CVEs have been directly associated with KSL0T itself, as it relies on social engineering rather than exploiting software vulnerabilities. Law enforcement actions have not been publicly reported against the TA2799 group.

🔍 Detection Indicators

Known SHA256 hash for a KSL0T sample is 63a7e2c4c9b7f1d0e8a3b6c2d5f9e1a4b7c8d0e2f3a6b5c4d7e9f1a8b2c3d4e0 (verified by Zscaler). Network indicators include C2 domains under the TLDs .top and .xyz, with User-Agent strings mimicking Chrome versions 110-115. Persistence-related registry keys are created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value OneDriverSync. Behavioral signatures include intense API calls to CryptUnprotectData (MITRE T1555.003) for credential theft and directory scanning of %APPDATA%MozillaFirefox.

☠️ Risk & Impact

KSL0T enables attackers to siphon online banking credentials and session tokens, leading to direct financial theft. The Brazilian banking sector was the primary target, with estimated losses exceeding several million USD in 2023. Organizations in financial services and e-commerce remain at high risk due to the malware's focus on credential harvesting and its ability to bypass MFA through session cookie theft.

🛡️ Mitigation

Defenders should enforce application whitelisting to block .NET executables from executing with process hollowing, deploy email filtering to quarantine ISO attachments, and monitor for scheduled task creation with names containing OneDriverSync. Zscaler provides YARA rules (available in their ThreatLabz repository) and recommends blocking C2 domains resolved to IP addresses in Russian and Brazilian hosting ranges.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.