Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
Contents
Executive Summary
Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities.
Based on our analysis, we suspect that the FPSpy variant detailed in this report is a variant of malware mentioned in a campaign carried out in 2022. That campaign targeted users of a South Korean technology conglomerate.
In this article, we will provide a technical analysis of KLogEXE and FPSpy, and we’ll shed some light on Sparkling Pisces’s infrastructure. By understanding the mechanics of those two pieces of malware and the methods employed by Sparkling Pisces, organizations can better prepare and defend against such threats.
Palo Alto Networks customers receive better protection from the threats discussed in this article through …
Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities.
Based on our analysis, we suspect that the FPSpy variant detailed in this report is a variant of malware mentioned in a campaign carried out in 2022. That campaign targeted users of a South Korean technology conglomerate.
In this article, we will provide a technical analysis of KLogEXE and FPSpy, and we’ll shed some light on Sparkling Pisces’s infrastructure. By understanding the mechanics of those two pieces of malware and the methods employed by Sparkling Pisces, organizations can better prepare and defend against such threats.
Palo Alto Networks customers receive better protection from the threats discussed in this article through …
IoC
http://bitjoker2024.000webhostapp.com
2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715
http://mail.apollo-page.r-e.kr
c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343
http://www.vic.apollo-star7.kro.kr
http://152.32.138.167
faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801
http://mail.apollo-page.r-e.kr/wp-content/include.php?_sys_=7
a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2
152.32.138.167
http://nidlogin.apollo.r-e.kr
990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27
http://mail.apollo-page.r-e.kr/plugin/include.php?_sys_=7
https://nidlogin.apollo.r-e.kr/cmd/index.php?_idx_=7
2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715
http://mail.apollo-page.r-e.kr
c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343
http://www.vic.apollo-star7.kro.kr
http://152.32.138.167
faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801
http://mail.apollo-page.r-e.kr/wp-content/include.php?_sys_=7
a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2
152.32.138.167
http://nidlogin.apollo.r-e.kr
990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27
http://mail.apollo-page.r-e.kr/plugin/include.php?_sys_=7
https://nidlogin.apollo.r-e.kr/cmd/index.php?_idx_=7