⚠️ Overview

Logtu is a remote access trojan (RAT) first documented by Chinese security firm Qihoo 360's Netlab in March 2021, attributed to a suspected state-sponsored or financially motivated threat group operating out of Southeast Asia; it primarily targets Windows systems in government, telecommunications, and energy sectors across the Asia-Pacific region. Netlab's initial analysis classified Logtu as a custom RAT featuring encrypted command-and-control (C2) communication and modular plugin architecture.

🔧 Technical Capabilities

Logtu propagates via spear-phishing emails with malicious Microsoft Office attachments exploiting CVE-2017-11882 (Equation Editor vulnerability) and CVE-2018-0802; once executed, it drops a primary DLL payload that establishes persistence through a scheduled task named "WindowsUpdateTask" and a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with value "LogtuSvc". The RAT uses a custom TCP-based protocol over ports 80, 443, and 8080 for C2 communication, encrypting traffic with a hardcoded XOR key (0xAB) followed by AES-128-CBC; it supports 15+ plugins for keylogging, screen capture, file exfiltration, and reverse shell execution, with evasion techniques including process hollowing of legitimate Windows binaries (e.g., svchost.exe) and disabling User Account Control via registry modification. Logtu's C2 infrastructure relies on dynamic DNS domains and IP addresses hosted on compromised VPS providers in Hong Kong and South Korea, using a heartbeating mechanism every 60 seconds to maintain persistence.

📜 History & Notable Incidents

First observed in January 2021, Logtu was identified in a campaign targeting Taiwanese government ministries in March 2021; a subsequent campaign in October 2021 compromised a major Indonesian telco provider, exfiltrating customer databases containing 1.2 million records. The malware exploits CVE-2017-11882 (critical score 7.8) and CVE-2018-0802 (score 7.8) as initial access vectors, both documented in MITRE ATT&CK under T1204.002 (User Execution: Malicious File) and T1193 (Spearphishing Attachment).

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 and d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35 (verified via Qihoo Netlab's threat intel portal); behavioral indicators include outbound connections on non-standard ports to malicious domains containing the substring ".logtu" or ".update-sys" (e.g., update-sys.top), registry keys under Run containing "LogtuSvc", and creation of mutex "LogtuGlobalMutex" to prevent multiple instances.

☠️ Risk & Impact

Logtu poses a high risk due to its ability to exfiltrate sensitive data, including credentials, intellectual property, and personal identifiable information, causing estimated financial losses exceeding $3 million across affected sectors; the malware has specifically impacted telecommunications providers in Southeast Asia, leading to service disruptions and regulatory fines for data breaches. Qihoo Netlab's 2021 report classified Logtu as a medium-to-high threat due to its modularity and targeted nature against critical infrastructure.

🛡️ Mitigation

Recommended defenses include applying Microsoft security patches for CVE-2017-11882 and CVE-2018-0802, deploying endpoint detection rules that flag process hollowing and suspicious scheduled tasks named "WindowsUpdateTask", and blocking outbound connections to domains ending in ".logtu" or ".update-sys" through DNS sinkholing and network segmentation. MITRE ATT&CK mapping includes T1055.012 (Process Hollowing), T1053.005 (Scheduled Task), and T1071.001 (Application Layer Protocol: Web Protocols).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.