North Korean ‘Sparkling Pisces’ Strikes: Government and Research Institutions Under Attack

Sparkling Pisces used undocumented malware KLogEXE and FPSpy to target users, where KLogEXE, a keylogger, and FPSpy, a backdoor variant, expand their arsenal. The FPSpy variant might be related to a 2022 campaign targeting a South Korean technology conglomerate.

The North Korean APT group Sparkling Pisces, known for its sophisticated cyberespionage, initially targeted South Korean entities but later expanded its reach globally. The group’s most notable attack was against Korea Hydro and Nuclear Power in 2014. 

Investigators tracked Sparkling Pisces’ infrastructure and discovered a new C++ keylogger, KLogEXE, linked to their previously documented PowerShell keylogger used in a South Korean spear phishing campaign. 

The “powershell.exe” PE file communicates with a domain linked to the PowerShell keylogger IP address, which uses a unique URI pattern. The Maltego graph shows connections to KLogEXE, FPSpy, and shared domains.

 Infrastructure layout showing the connection between the malware.

KLogExe, a C++ keylogger, secretly collects data from compromised systems, which records active applications, monitors keystrokes, and tracks mouse clicks, posing a threat to user privacy and security.

It collects data and saves it in an .ini file. When the file reaches its limit, it adds a date and random boundary, then sends the data over HTTP to a specified URI using a POST request.

FPSpy, a PE malware variant, likely originated from the same threat actor behind KGHSpy in 2020, whose compilation timestamp was modified to conceal its recent creation. The malware’s C2 infrastructure suggests a connection to the ASEC-reported threat from 2022.

The code from the sys.dll loader is in charge of loading sys.dll.

It is sophisticated malware that drops sys.dll in a specific location and loads it. Beyond keylogging, it can store configuration data, gather system information, download and execute modules, work in a multithreaded model, execute arbitrary commands, and enumerate drives, folders, and files on the infected device.

FPSpy and KLogExe likely share a common codebase, as evidenced by their identical dialog resource, which suggests a potential functional or operational link between the two applications.

 Dialog resource of FPSpy.

The malware samples exhibit notable similarities, as both employ the same leaked HackingTeam code for dynamic API calls, utilize identical hardcoded HTTP packet structures, and store data in .ini files with similar content. 

Specifically, the keylogging process in both malware begins with a code section that constructs an HTTP packet for data exfiltration.

Sparkling Pisces’s evolving infrastructure and tool set now include KLogExe, a new keylogging and data exfiltration malware, and FPSpy, a variant capable of data collection and arbitrary command execution. 

Unit 42 identified code similarities between KLogExe and FPSpy, revealing a shared codebase used by Sparkling Pisces, which primarily targets South Korean and Japanese organizations, aligning with previous Kimsuky activity.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here