In a recent study, Unit 42 researchers discovered that the Sparkling Pisces (aka Kimsuky) threat group uses two malware samples. A keylogger named KLogEXE by its authors is included in the list of malware, as is a variant of a backdoor known as FPSpy that is undocumented and potentially harmful. 

This is a significant addition to Sparkling Pisces' already extensive arsenal and shows that the group is continually advancing and developing its capabilities to meet the needs of its audience. Two malware tools have been discovered by researchers at Unit 42 that had never been documented before. Two tools are being used by the North Korean APT group, Sparkling Pisces, to conduct cyber espionage campaigns and spear phishing attacks. The tools being used are KLogExe and FPSpy. 

Moreover, customers can be better protected by using Cloud-Delivered Security Services as part of their Next-Generation Firewall, including Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, and Advanced Threat Prevention, and can also improve their connectivity. In KLogExe, the company uses a C++-based keylogger to record keyboard input and mouse clicks and encrypt the data they record in a log file. 

The log file has the extension .ini. After the file has reached the size limit set by KLogExe, it is renamed with the current date, an auto-generated boundary is generated, and the data is sent via HTTP to a command and control server using a unique Uniform Resource Identifier (URI) and a unique executable file name. FPSpy is an early version of the group's KGHSpy backdoor and is similar to its earlier versions.

Unit 42 has detected that it has a unique export function called MazeFunc, which is suspected to have been timestamp-ed to obscure the time by which it was created. The custom loader that comes with FPSpy drops and runs sys.dll, which gives it the ability to execute arbitrary commands, collect system data, and download additional encrypted modules as well. 

One thread is responsible for downloading modules, while another thread is responsible for data exfiltration, and it also includes running PowerShell tree commands so you can see which drives and folders have been created. There is a strong connection between both tools, with similarities in code structure and in the way HTTP packets are constructed between them. There are many cyberespionage groups on the internet, however, Sparkling Pisces (aka Kimsuky, THALLIUM, Velvet Chollima) is made up of a group that is largely known for its spear-phishing attacks and sophisticated cyberespionage operations. 

It is noteworthy that the group attacked Korea Hydro and Nuclear Power (KHNP) in 2014 which was one of their most prominent attacks. There were initially several government agencies, research institutes, think tanks, and research institutions that were targeted by the group. With the development of its network, the group began to expand to Western countries, including the United States, which established its status as a global threat as the group continued to grow.

It has been nicknamed "the king of spear phishing," and through hundreds of attacks, it has lured victims to download and execute malicious payloads to successfully steal their identities. In a recent attack, they masqueraded as a legitimate Korean company and spread malware by using a valid certificate allegedly issued by the company to target South Koreans. 

There are several malware strains and campaigns in the world today that are associated with Sparkling Pisces, yet its infrastructure is complicated and constantly evolving. The tracking of Sparkling Pisces' infrastructure revealed connections between different operations and tools that allow it to operate effectively. It was also revealed that the group used newly discovered and undocumented malware in its attacks. 

Among the malware samples found was KLogEXE, which was found by tracking the infrastructure that this group used to control the PowerShell keylogger that is documented by JPCERT, which was used as a command and control (C2) facility for this keylogger. ASEC also published a report earlier this year about spear phishing campaigns that have been conducted to infect South Korean users with PowerShell keyloggers that were also distributed by the threat actor, which has mentioned a spear phishing campaign that has targeted South Korean users. 

During the decryption of the PowerShell keylogger from the aforementioned JPCERT report, it indicated that it communicated with www.vic.apollo-star7[.]kro. kr, which resolves to 152.32.138[.]167. The PowerShell keylogger appears to communicate with a different domain as a result of examining the file for that IP address that resolves to a different URL than the one used by the file. Moreover, Sparkling Pisces uses a pattern of Uniform Resource Identifier (URI) that people have not observed in any of the other malware they saw associated with Sparkling Pisces to identify its location.

Analysis of a recent malware campaign reveals overlaps between PowerShell-based malware and two newly identified PE malware variants, named KLogEXE and FPSpy. These overlaps include the registration of domains under similar registrant emails, suggesting a potential link between the malicious software samples. One of the discovered PE malware samples, FPSpy, has operated in relative obscurity since at least 2022. 

Upon further investigation, it appears to be a variant of malware previously documented by the AhnLab Security Emergency Response Center (ASEC) in 2022. FPSpy shares numerous characteristics with KGHSpy, a backdoor malware identified in 2020 by the group known as Sparkling Pisces. These similarities extend to the naming conventions of downloaded modules and logs, as well as their operational capabilities. 

One notable tactic employed by FPSpy is timestamp tampering, where the malware authors alter the file's compilation time to obscure the true creation date. This tactic is commonly used to avoid detection and forensic analysis. Although FPSpy was first uploaded to VirusTotal on June 26, 2024, its altered compilation timestamp falsely indicates that it was created in 2018. Further examination revealed that the hard-coded subdomain for the malware’s command-and-control (C2) server, bitjoker2024.000webhostapp[.]com, was first observed in 2024, providing additional evidence of recent activity. 

FPSpy distinguishes itself from KLogEXE by its structure as a dynamic-link library (DLL), named sys.dll. It contains a unique export function called MazeFunc. This DLL is embedded in a resource labelled "DB" within its custom loader. The loader's function is to extract sys.dll into the directory C:\Users\user\AppData\Local\Microsoft\WPSOffice\ and subsequently load it into the system, initiating its malicious operations. A detailed examination of the loader’s code can be found in Figure 4. Security measures, including Advanced URL Filtering and Advanced DNS Security, have classified domains related to the group responsible for FPSpy as malicious. 

Additionally, advanced detection platforms such as Cortex XDR and XSIAM have played a key role in identifying user and credential-based threats. These platforms utilize data from multiple sources to identify potential threats, including: - Endpoints - Network firewalls - Active Directory - Identity and access management (IAM) systems - Cloud workloads By employing machine learning, Cortex XDR and XSIAM create behavioural profiles of user activity over time. 

The platforms compare recent activity to historical user behaviour, peer activity, and expected norms to detect anomalies. These anomalies can serve as indicators of credential-based attacks, enabling rapid detection and response to potential security breaches. This advanced approach helps mitigate threats before they can inflict significant damage, making it an essential tool in cybersecurity defence.