Sparkling Pisces used undocumented malware KLogEXE and FPSpy to target users, where KLogEXE, a keylogger, and FPSpy, a backdoor variant, expand their arsenal. The FPSpy variant might be related to a 2022 campaign targeting a South Korean technology conglomerate.
The North Korean APT group Sparkling Pisces, known for its sophisticated cyberespionage, initially targeted South Korean entities but later expanded its reach globally. The group’s most notable attack was against Korea Hydro and Nuclear Power in 2014.
Investigators tracked Sparkling Pisces’ infrastructure and discovered a new C++ keylogger, KLogEXE, linked to their previously documented PowerShell keylogger used in a South Korean spear phishing campaign.
The “powershell.exe” PE file communicates with a domain linked to the PowerShell keylogger IP address, which uses a unique URI pattern. The Maltego graph shows connections to KLogEXE, FPSpy, and shared domains.
KLogExe, a C++ keylogger, secretly collects data from compromised systems, which records active applications, monitors keystrokes, and tracks mouse clicks, posing a threat to user privacy and security.
It collects data and saves it in an .ini file. When the file reaches its limit, it adds a date and random boundary, then sends the data over HTTP to a specified URI using a POST request.
FPSpy, a PE malware variant, likely originated from the same threat actor behind KGHSpy in 2020, whose compilation timestamp was modified to conceal its recent creation. The malware’s C2 infrastructure suggests a connection to the ASEC-reported threat from 2022.
It is sophisticated malware that drops sys.dll in a specific location and loads it. Beyond keylogging, it can store configuration data, gather system information, download and execute modules, work in a multithreaded model, execute arbitrary commands, and enumerate drives, folders, and files on the infected device.
FPSpy and KLogExe likely share a common codebase, as evidenced by their identical dialog resource, which suggests a potential functional or operational link between the two applications.
The malware samples exhibit notable similarities, as both employ the same leaked HackingTeam code for dynamic API calls, utilize identical hardcoded HTTP packet structures, and store data in .ini files with similar content.
Specifically, the keylogging process in both malware begins with a code section that constructs an HTTP packet for data exfiltration.
Sparkling Pisces’s evolving infrastructure and tool set now include KLogExe, a new keylogging and data exfiltration malware, and FPSpy, a variant capable of data collection and arbitrary command execution.
Unit 42 identified code similarities between KLogExe and FPSpy, revealing a shared codebase used by Sparkling Pisces, which primarily targets South Korean and Japanese organizations, aligning with previous Kimsuky activity.