Executive Summary

The Kimsuky threat group, also known as Sparkling Pisces, has recently been identified as deploying a new keylogger, KLogEXE, and a backdoor variant, FPSpy. These tools significantly enhance the group's capabilities, demonstrating their evolving threat landscape. This report provides a comprehensive analysis of these malware samples, their infrastructure, and their implications for cybersecurity. The primary targets of this APT group include South Korean and Japanese entities, with a growing focus on the United States.

Technical Information

KLogEXE is a sophisticated keylogger developed in C++ that captures keystrokes, mouse clicks, and running applications. The captured data is stored in an .ini file and exfiltrated via HTTP using a specific URI pattern. The keylogger's Indicators of Compromise (IOCs) include the hash 990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27, the domain www.vic.apollo-star7[.]kro.kr, and the IP address 152.32.138[.]167.

FPSpy is a backdoor that allows the execution of arbitrary commands, collection of system information, and downloading of additional modules. It communicates with its Command and Control (C2) server using a hard-coded subdomain. The IOCs for FPSpy include the hash c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343 and the domain bitjoker2024.000webhostapp[.]com.

The infrastructure used by Sparkling Pisces shows significant overlaps between different malware strains. The group employs spear phishing campaigns to deliver these payloads, primarily targeting South Korean and Japanese entities. The spear phishing emails are crafted to appear legitimate, often mimicking trusted sources to deceive recipients into executing the malicious payloads.

The malware's C2 communication is designed to be stealthy, using legitimate-looking domains and IP addresses to avoid detection. The use of hard-coded subdomains and specific URI patterns further complicates detection efforts. The group's infrastructure is robust, with multiple fallback mechanisms to ensure continued operation even if some components are discovered and neutralized.

The evolution of Sparkling Pisces's toolset is indicative of a broader trend in the cybersecurity landscape, where threat actors continuously refine their tactics, techniques, and procedures (TTPs) to evade detection and enhance their operational effectiveness. This underscores the need for organizations to adopt a proactive approach to cybersecurity, leveraging advanced threat intelligence and detection capabilities to stay ahead of emerging threats.

Exploitation in the Wild

The specific usage of these vulnerabilities by Sparkling Pisces has been observed in targeted attacks against South Korean and Japanese entities. The group uses spear phishing emails to deliver the KLogEXE and FPSpy payloads, exploiting the trust of recipients to gain a foothold in targeted networks. The IOCs associated with these attacks include the domains and IP addresses mentioned earlier, as well as specific email addresses and subject lines used in the phishing campaigns.

APT Groups using this vulnerability

The primary APT group exploiting these vulnerabilities is Sparkling Pisces, also known as Kimsuky. This North Korean group is known for its cyberespionage operations and has expanded its reach globally, including targeting entities in the United States.

Affected Product Versions

The specific products and versions affected by KLogEXE and FPSpy are not detailed in the available information. However, the malware is designed to operate on Windows systems, and organizations using Windows-based infrastructure should be particularly vigilant.

Workaround and Mitigation

To mitigate the risks associated with KLogEXE and FPSpy, organizations should implement robust detection and prevention measures. Palo Alto Networks' Cortex XDR and XSIAM provide capabilities to detect and prevent these threats. Additionally, utilizing Advanced WildFire, Advanced URL Filtering, and Advanced DNS Security can help identify and block malicious domains and IPs associated with Sparkling Pisces. Regularly updating security software and conducting employee training on recognizing phishing attempts are also critical components of an effective defense strategy.

References

For further reading and detailed technical analysis, please refer to the following resources: Unit 42, Palo Alto Networks: Unraveling Sparkling Pisces's Tool Set: KLogEXE and FPSpy (https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/), JPCERT/CC: Attack Activities by Kimsuky Targeting Japanese Organizations, and AhnLab: Information leaking malware disguised as a famous domestic portal site.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive threat intelligence and exposure management solutions to help organizations identify and mitigate risks. We are here to support you in safeguarding your assets against emerging threats. If you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.