Follow on X RSS Feed
Malware

KLogExe and FPSpy Signal a New Wave of Espionage by Sparkling Pisces Hackers

Cybersec Sentinel

2 min read
KLogExe and FPSpy Signal a New Wave of Espionage by Sparkling Pisces Hackers

Threat Group: Sparkling Pisces (aka Kimsuky, THALLIUM)
Threat Type: Keylogger & Backdoor Malware
Exploited Vulnerabilities: User exploitation via spear phishing, DLL hijacking
Malware Used: KLogExe (keylogger), FPSpy (backdoor)
Threat Score: High (8.0/10) — Due to the combination of data exfiltration and its ability to bypass static detection
Last Threat Observation: October 2024 (by Unit 42 and various researchers)

Overview

The North Korean APT group Sparkling Pisces has recently expanded its cyberespionage operations with two newly identified malware strains: KLogExe and FPSpy. KLogExe is a stealthy C++ keylogger designed to monitor keystrokes, mouse clicks, and application activity. FPSpy, a backdoor variant, is capable of executing arbitrary commands and exfiltrating system information. Both tools are primarily used for espionage, targeting critical sectors such as government agencies, research institutions, and technology firms in South Korea, Japan, and beyond.

Key Details

  • Delivery Method: Spear phishing emails, often disguised as legitimate entities to lure victims into downloading malicious payloads.
  • Target: Government, research institutions, technology companies in South Korea and Japan, with growing activity in Western countries.
  • Functions:
    1. KLogExe logs keystrokes and mouse activity.
    2. FPSpy collects system information and executes commands.
    3. Both communicate with a C2 server via HTTP, disguising malicious traffic as normal web activity.
    4. FPSpy downloads additional modules to expand its capabilities.
    5. Data is stored in encrypted formats to avoid detection.
  • Obfuscation Techniques: Both malware strains use techniques such as API call obfuscation, leveraging leaked code from HackingTeam to bypass static detection and employ legitimate-looking executables.

Attack Vectors

KLogExe and FPSpy are delivered through spear phishing campaigns. Victims are deceived into downloading malicious executables, which then initiate keylogging or open a backdoor for further exploitation. These tools are particularly dangerous because they mimic legitimate web traffic, making detection more difficult.

Known Indicators of Compromise (IoCs)

KLogExe File Hashes (SHA256):

  • 990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27
  • a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2
  • faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801

FPSpy File Hashes (SHA256):

  • c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343
  • 2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715

Malicious Domains:

  • mail.apollo-page.r-e[.]kr
  • nidlogin.apollo.r-e[.]kr
  • bitjoker2024.000webhostapp[.]com
  • www.vic.apollo-star7[.]kro.kr

IP Addresses:

  • 152.32.138[.]167

Malicious URLs:

  • hxxp[:]//mail.apollo-page.r-e[.]kr/wp-content/include.php?_sys_=7
  • hxxp[:]//mail.apollo-page.r-e[.]kr/plugin/include.php?_sys_=7
  • hxxps[:]//nidlogin.apollo.r-e[.]kr/cmd/index.php?_idx_=7

Mitigation and Prevention

  • Email Filtering: Implement robust filtering to block spear phishing emails, especially those with attachments or URLs.
  • User Awareness: Conduct regular training sessions on recognizing phishing attempts and suspicious downloads.
  • Antivirus Protection: Update endpoint detection tools to identify and block KLogExe and FPSpy.
  • Monitor Logs: Regularly review logs for abnormal HTTP traffic and data exfiltration attempts.
  • Two-Factor Authentication: Ensure all sensitive accounts use MFA to minimize the impact of credential theft.
  • Regular Updates: Keep all systems, especially remote access tools, up to date with security patches.

Conclusion

Sparkling Pisces continues to demonstrate its advanced capabilities with the deployment of KLogExe and FPSpy. These tools represent significant threats to organizations, primarily through stealthy data exfiltration and command execution. Organizations should remain vigilant, employ strong security practices, and regularly monitor for signs of compromise to mitigate potential risks.

Sources

  • Palo Alto Unit 42: Unraveling Sparkling Pisces’s Tool Set: KLogExe and FPSpy
  • CYFIRMA Weekly Intelligence Report, Oct 2024
  • CyberPress: North Korean Sparkling Pisces Strikes Again