CorKLOG
CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). CorKLOG has established persistence on the system by creating services or with scheduled tasks.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
CorKLOG has stored the captured data in an encrypted file using a 48-character RC4 key.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
CorKLOG has leveraged legitimate binaries to conduct DLL side-loading.[1] |
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
CorKLOG has encrypted collected contents using RC4.[1] CorKLOG has also utilized XOR encrypted strings.[1] |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
CorKLOG has achieved persistence through the creation of a scheduled task named TableInputServices by using the command |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
CorKLOG has used legitimate signed binaries such as lcommute.exe for follow-on execution of malicious DLLs through DLL side-loading.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda |