Threat Research

Exploring the Tools of Sparkling Pisces: KLogEXE and FPSpy

Unit42

Unit 42 researchers have identified two new malware samples associated with the North Korean threat group Sparkling Pisces, including a keylogger named KLogEXE and a backdoor variant called FPSpy. These findings highlight the group’s evolving capabilities and their continued targeting of South Korean entities. #KLogEXE #FPSpy #SparklingPisces #Kimsuky #SouthKorean #CortexXDR #XSIAM

Keypoints

  • Malware Samples: Discovery of KLogEXE (keylogger) and FPSpy (backdoor variant).
  • Threat Group: Sparkling Pisces, also known as Kimsuky, has a history of sophisticated cyberespionage.
  • Targeting: Recent campaigns have focused on South Korean technology users.
  • Technical Analysis: KLogEXE captures keystrokes and mouse clicks; FPSpy has advanced functionalities including data collection and command execution.
  • Infrastructure: Connections found between various malware strains used by Sparkling Pisces.
  • Protection: Palo Alto Networks offers solutions like Cortex XDR and XSIAM to detect and prevent these threats.

MITRE Techniques

  • [T1056] Keylogging – KLogEXE collects keystrokes using the GetAsyncKeyState method. ‘Collects keystrokes using the GetAsyncKeyState method.’
  • [T1071] Command and Control – FPSpy communicates with its C2 server using HTTP requests. ‘communicates with its C2 server using HTTP requests.’
  • [T1041] Data Exfiltration – KLogEXE exfiltrates data by sending it over HTTP to the C2 server. ‘exfiltrates data by sending it over HTTP to the C2 server.’
  • [T1203] Execution – FPSpy executes arbitrary commands on the infected device. ‘executes arbitrary commands on the infected device.’
  • [T1003] Credential Dumping – Cortex XDR and XSIAM analyze user activity to detect credential-based threats. ‘Cortex XDR and XSIAM analyze user activity to detect credential-based threats.’
  • [T1070] Timestomp – FPSpy binaries are timestomped, altering their apparent creation time. ‘there is the possibility that FPSpy binaries are timestomped.’

Indicators of Compromise

  • [File Hash] KLogExe – 990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27, a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2, and 1 more hash (faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801)
  • [File Hash] FPSpy – c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343, 2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715
  • [Domain] Domains – mail.apollo-page.r-e[.]kr, nidlogin.apollo.r-e[.]kr, bitjoker2024.000webhostapp[.]com, and other 2 domains (www.vic.apollo-star7[.]kro.kr)
  • [IP Address] 152.32.138[.]167
  • [URL] hxxp[:]//mail.apollo-page.r-e[.]kr/wp-content/include.php?_sys_=7, hxxp[:]//mail.apollo-page.r-e[.]kr/plugin/include.php?_sys_=7, and 1 more (hxxps[:]//nidlogin.apollo.r-e[.]kr/cmd/index.php?_idx_=7)

Read more: https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/