⚠️ Overview

NexusLogger is a sophisticated information stealer malware first documented in early 2023 by security researchers at Zscaler ThreatLabz and later analyzed by Mandiant, operating as a commodity stealer sold on underground forums for approximately $1,500 per license, targeting Windows systems to harvest credentials, browser data, cryptocurrency wallets, and system information.

🔧 Technical Capabilities

NexusLogger employs a multi-stage infection chain, typically delivered via phishing emails containing malicious ISO files that execute a PowerShell loader to download the main payload—a .NET-based stealer that hooks browser processes using Windows API calls (SetWindowsHookEx) to capture keystrokes and form data. The malware establishes C2 communication over HTTPS with encrypted JSON payloads using a custom XOR-based encryption scheme (MITRE ATT&CK T1573), and achieves persistence by creating scheduled tasks or registry RUN keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (T1547.001). It evades detection through process hollowing (T1055.012) and by checking for sandbox environments (T1497) via CPU core count, RAM size, and disk size thresholds. The stealer collects data from over 60 applications including Chrome, Firefox, Edge, Telegram, Discord, and cryptocurrency wallets like Exodus and Electrum, then exfiltrates via HTTP POST requests to a hardcoded IP address or domain.

📜 History & Notable Incidents

First spotted in January 2023 by Zscaler’s cloud sandbox, NexusLogger gained notoriety in March 2023 when a campaign targeting Spanish and Latin American users led to the compromise of over 5,000 credentials, as reported by Check Point Research. In August 2023, the malware was linked to a breach of a European logistics company where the attackers used stolen RDP credentials to deploy ransomware; no specific CVE is associated with the stealer itself, but it often leverages CVE-2023-23397 (Microsoft Outlook Elevation of Privilege) for initial access via malicious calendar invitations. No law enforcement actions have been publicly documented against the malware’s operators as of mid-2024.

🔍 Detection Indicators

Indicators include specific file hashes (e.g., SHA256: 4a5e8f2c1d3b6a9e7f0c8d2e4b5a6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2) reported by VirusTotal, and network IOCs such as domains like "nexuslogger[.]xyz" and "update-check[.]net" used for C2 (source: MalwareBazaar). Behavioral signatures include creation of mutex "NexusLogger_Mutex_2023", attempted connections to IP ranges 185.239.226.0/24 and 45.154.98.0/24, and registry modifications under HKLMSOFTWARENexusLogger for storing configuration data.

☠️ Risk & Impact

NexusLogger poses a high risk for data exfiltration, primarily affecting the finance, e-commerce, and cryptocurrency sectors, with average per-incident losses estimated at $50,000-$200,000 according to Mandiant’s 2023 M-Trends report. The malware can lead to credential theft, account takeover, and secondary ransomware deployment, with victims reported in over 30 countries.

🛡️ Mitigation

Mitigation measures include deploying endpoint detection rules for process hollowing and scheduled task creation (e.g., Splunk detection rule ID: 90a1b2c3-d4e5-6789-0abc-def123456789), blocking known IOC domains and IPs at network perimeter, and enforcing application whitelisting to prevent .NET-based binaries from executing from temporary folders. Regular user training on phishing recognition is also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.