Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy

    Friday, September 27, 2024 In: Threat Research Print

    Date: 09/27/2024

    Severity: Medium

    Summary

    The article analyzes two malware samples - KLogEXE, an undocumented keylogger, and a variant of FPSpy - used by the Sparkling Pisces (Kimsuky) threat group. These tools enhance the group's capabilities, previously seen in a 2022 campaign targeting a South Korean tech conglomerate. Understanding these malware types helps organizations improve their defenses. Palo Alto Networks offers enhanced protection through its security services.

    Indicators of Compromise (IOC) List

    URL/Domains

    www.vic.apollo-star7.kro.kr

    bitjoker2024.000webhostapp.com

    mail.apollo-page.r-e.kr

    nidlogin.apollo.r-e.kr

    http://mail.apollo-page.r-e.kr/wp-content/include.php?_sys_=7

    http://mail.apollo-page.r-e.kr/plugin/include.php?_sys_=7

    https://nidlogin.apollo.r-e.kr/cmd/index.php?_idx_=7

    IP Address

    152.32.138.167

    Hash

    2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715

faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801

a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2

990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27

c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "www.vic.apollo-star7.kro.kr" or url like "www.vic.apollo-star7.kro.kr" or userdomainname like "http://mail.apollo-page.r-e.kr/wp-content/include.php?_sys_=7" or url like "http://mail.apollo-page.r-e.kr/wp-content/include.php?_sys_=7" or userdomainname like "bitjoker2024.000webhostapp.com" or url like "bitjoker2024.000webhostapp.com" or userdomainname like "mail.apollo-page.r-e.kr" or url like "mail.apollo-page.r-e.kr" or Userdomainname like "nidlogin.apollo.r-e.kr" or url like "nidlogin.apollo.r-e.kr" or userdomainname like "http://mail.apollo-page.r-e.kr/plugin/include.php?_sys_=7" or url like "http://mail.apollo-page.r-e.kr/plugin/include.php?_sys_=7" or userdomainname like "https://nidlogin.apollo.r-e.kr/cmd/index.php?_idx_=7" or url like "https://nidlogin.apollo.r-e.kr/cmd/index.php?_idx_=7"

    IP Address

    dstipaddress IN ("152.32.138.167") or ipaddress IN ("152.32.138.167") or publicipaddress IN ("152.32.138.167") or srcipaddress IN ("152.32.138.167")

    Hash

    sha256hash IN ("2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715","faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801","a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2","990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27","c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343")

    Reference: 

    https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/


    Tags

    MalwareKeyloggerKLogEXEFPSpyAPT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.