CorKLOG
CorKLOG is a keylogger known to be leveraged byMustang Panda and was first observed utilized in 2024.CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and theCorKLOG DLL (mscorsvc.dll).CorKLOG has established persistence on the system by creating services or with scheduled tasks.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | |
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | CorKLOG has stored the captured data in an encrypted file using a 48-character RC4 key.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
| Enterprise | T1574 | .001 | Hijack Execution Flow:DLL | CorKLOG has leveraged legitimate binaries to conduct DLL side-loading.[1] |
| Enterprise | T1056 | .001 | Input Capture:Keylogging | |
| Enterprise | T1027 | .013 | Obfuscated Files or Information:Encrypted/Encoded File | CorKLOG has encrypted collected contents using RC4.[1]CorKLOG has also utilized XOR encrypted strings.[1] |
| Enterprise | T1053 | .005 | Scheduled Task/Job:Scheduled Task | CorKLOG has achieved persistence through the creation of a scheduled task named TableInputServices by using the command |
| Enterprise | T1553 | .002 | Subvert Trust Controls:Code Signing | CorKLOG has used legitimate signed binaries such as lcommute.exe for follow-on execution of malicious DLLs through DLL side-loading.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda |