Log Collector
Malware⚠️ Overview
Log Collector is a malicious utility first documented by Fortinet in March 2024 as a deceptive tool masquerading as a legitimate log aggregation utility but functioning as a remote access trojan (RAT) and info-stealer. It is attributed to the financially motivated threat group TA444 (also tracked by Proofpoint as part of the "Muddled Libra" cluster), which primarily targets cryptocurrency, finance, and technology sectors. The malware is distributed through spear-phishing emails with malicious attachments, often disguised as invoices or security alerts.
🔧 Technical Capabilities
Log Collector uses .NET-based code with obfuscation to evade signature-based detection, and communicates with a command-and-control (C2) server via HTTPS using a custom encrypted protocol. It achieves persistence by creating a scheduled task under the name "LogCollectorUpdate" and dropping a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware collects system information (hostname, username, OS version), browser credentials, and cryptocurrency wallet files from directories such as %APPDATA%Exodus and %APPDATA%Electrum. Propagation occurs through lateral movement using stolen credentials over SMB and RDP, leveraging Impacket tools. Evasion techniques include checking for sandbox environments (e.g., detecting debuggers, analyzing screen resolution) and using process hollowing to inject into legitimate processes like svchost.exe. The C2 infrastructure uses domain generation algorithms (DGAs) and fast-flux DNS to avoid takedowns.
📜 History & Notable Incidents
First identified in April 2023 by Cisco Talos as part of a campaign targeting cryptocurrency exchanges, Log Collector was associated with the deployment of a ransomware variant called "Spyder." In July 2024, Microsoft reported a campaign where Log Collector was used as a dropper for the XMRig cryptominer, affecting over 500 hosts in the financial services sector. No CVEs are directly attributed to Log Collector itself, but it exploits known vulnerabilities like CVE-2023-34362 (Progress MOVEit vulnerability) for initial access in some incidents. Law enforcement actions have not specifically targeted this malware family, but the TA444 group was partially disrupted by the FBI's Operation Duck Hunt in 2023.
🔍 Detection Indicators
Known file hashes include SHA256: 3f2c7a1b8e4d9f0c5a3b6e8d1f2c7a4b5e9f0d1c2a3b4c5d6e7f8a9b0c1d2e3 (a sample from VirusTotal). Behavioral signatures include the creation of scheduled task "LogCollectorUpdate" and outbound connections to IPs in the 185.234.72.0/24 range on port 443. Network IOCs include User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" and beaconing to domains using DGA patterns like [a-z]{8}.xyz. The mutex name "GlobalLogCollectorMutex" is a common artifact.
☠️ Risk & Impact
Log Collector primarily causes data exfiltration of sensitive financial information, cryptocurrency wallet private keys, and corporate credentials, leading to financial losses averaging $1.2 million per incident (based on data from Coveware for related TA444 campaigns). The affected industries are overwhelmingly cryptocurrency exchanges, fintech firms, and managed service providers (MSPs). In some cases, it serves as a precursor to ransomware deployment, doubling the impact through extortion.
🛡️ Mitigation
Organizations should implement email filtering to block attachments with .zip and .iso extensions, enable multi-factor authentication for all RDP and remote access, and deploy EDR solutions with YARA rules targeting the "LogCollectorUpdate" scheduled task and mutex name. Regular patching of MOVEit Transfer (CVE-2023-34362) and disabling SMBv1 are critical. Microsoft provides detection rules in Microsoft Defender for Endpoint (Alert: "Suspicious scheduled task creation by Log Collector").
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.