top of page
Foto del escritorJavier Conejo del Cerro

(Back)door wide open to (key)log data




Picture this: a seemingly secure day, calmly sipping your coffee, monitoring your data. Suddenly, the news hits—a North Korean cyberattack is underway. But it’s not a missile strike; it’s something much more subtle and insidious: a keylogger and a backdoor.

Sparkling Pisces, a North Korean cyber threat actor, has launched a new wave of attacks. This group, also known as Kimsuky, has been deploying a backdoor known as FPSpy and an undocumented keylogger called KLogEXE, both designed to infiltrate systems, collect sensitive data, and execute commands undetected.

We will explore how these malware strains operate, from FPSpy opening the backdoor to KLogEXE logging your every keystroke. Understanding these threats is key to staying ahead of evolving cyberattacks.


KLogEXE: Keylogging and Data Exfiltration Tool


KLogEXE is a newly discovered piece of malware that functions as a keylogger. It is designed to record and track every keystroke made by the user on an infected device. This allows attackers to steal sensitive information, such as login credentials, personal data, and potentially confidential communications.


Key Characteristics of KLogEXE:


  1. Written in C++: KLogEXE is a more advanced iteration of a previously reported PowerShell-based keylogger but is now written in C++. This change increases its stability and efficiency.

  2. Keylogging Mechanism: The malware uses the GetAsyncKeyState method to capture keystrokes from the compromised machine. This allows it to log every keyboard input made by the user in real-time, including passwords, usernames, and other sensitive data.

  3. Mouse Click Tracking: In addition to keylogging, KLogEXE tracks mouse clicks and captures the names of the buttons being pressed. This additional functionality may help attackers reconstruct a fuller picture of the victim’s interactions with the computer.

  4. Data Storage and Exfiltration: KLogEXE stores captured data in an .ini file located under the path C:\Users\user\AppData\Roaming\Microsoft\desktops.ini. Once the file reaches a certain size, the malware renames it with a date stamp and prepares it for exfiltration. The stolen data is sent via an HTTP POST request to a command-and-control (C2) server using the following URI: /wp-content/include.php?_sys_=7.


FPSpy: An Advanced Backdoor with Multi-Functional Capabilities


FPSpy is a more complex and versatile malware strain compared to KLogEXE. First detected in 2022, this backdoor has evolved and resurfaced as a more sophisticated variant in recent months. FPSpy is designed to carry out a wide range of tasks on infected systems, with capabilities that extend far beyond simple data collection.


Key Characteristics of FPSpy:


  1. DLL Structure: FPSpy is a dynamic link library (DLL) file (sys.dll), which is deployed by a custom loader. This loader drops the DLL into the C:\Users\user\AppData\Local\Microsoft\WPSOffice\ folder, where it is subsequently executed.

  2. Multithreading Capabilities: FPSpy operates in a multithreaded model, which allows it to carry out multiple tasks simultaneously. For example, one thread may be responsible for downloading additional encrypted modules, while another uploads the collected data to its C2 server.

  3. Data Collection and System Enumeration: FPSpy gathers extensive system information, which it stores in files such as Sysinfo_<date>_.txt. It also enumerates drives and folders on the infected machine, executing the PowerShell tree command to map the system’s file structure. The results are stored in a file named Drv_<drive letter>.

  4. Command Execution: Beyond data collection, FPSpy can execute arbitrary commands on the victim’s device. This gives attackers remote control over the system, allowing them to further manipulate or infect the machine.

  5. Timestomping: In an effort to avoid detection, FPSpy binaries are timestomped. This means that the malware’s authors have manipulated the files' creation timestamps to make them appear older than they actually are, hindering forensic analysis efforts.


Key Similarities Between KLogEXE and FPSpy


Both malware variants exhibit several overlapping characteristics, indicating a shared development lineage. This includes:

  • API Calls for Detection Evasion: Both KLogEXE and FPSpy utilize dynamic API calls, leveraging code previously leaked from the Hacking Team to bypass static detection by antivirus software.

  • Similar HTTP Data Exfiltration: Both malware types build similar HTTP requests for exfiltrating stolen data, using the same structure for headers and a randomly generated boundary string.

  • Shared Data Storage Methods: KLogEXE and FPSpy both store the data they collect in .ini files, which share similar formats and naming conventions.


Measures to Fend Off KLogEXE and FPSpy


Protecting your systems from these types of advanced malware requires a multi-layered approach that includes both proactive defense strategies and rapid response measures.

  1. Implement Strong Endpoint Protection:

    • Use advanced endpoint security tools that can detect abnormal behaviors, such as unauthorized keystroke logging or the exfiltration of data through unusual network activity.

    • Ensure that endpoint protection includes heuristic or behavior-based detection, which can catch malware variants that have not yet been documented.

  2. Regularly Update and Patch Systems:

    • Keep all systems, applications, and software libraries up-to-date with the latest security patches. Malware like FPSpy often exploits known vulnerabilities in outdated software.

    • Prioritize patching vulnerabilities related to remote code execution, privilege escalation, and data exfiltration.

  3. Restrict Administrative Privileges:

    • Limit the use of administrator accounts to reduce the impact of malware. Ensure that users operate with the least privilege necessary, preventing malware from gaining elevated access that allows it to install keyloggers or backdoors.

    • Use multi-factor authentication (MFA) to add an extra layer of security for accessing sensitive systems.

  4. Monitor Network Traffic for Anomalies:

    • Implement network monitoring solutions to detect unusual outgoing traffic, such as unauthorized HTTP requests to suspicious domains (e.g., those associated with Sparkling Pisces C2 servers).

    • Utilize deep packet inspection (DPI) to detect data exfiltration attempts, particularly when they involve sending information over HTTP in unconventional formats.

  5. Conduct Security Awareness Training:

    • Educate employees and users on the risks of phishing attacks, which are often the initial attack vector for malware like KLogEXE and FPSpy. Users should be trained to recognize suspicious emails, attachments, and links.

    • Encourage the use of email verification tools to authenticate the source of inbound emails, particularly those containing executable files or suspicious attachments.

  6. Deploy Intrusion Detection and Prevention Systems (IDPS):

    • Use IDPS solutions to detect and prevent malware from communicating with external C2 servers. These systems can identify known indicators of compromise (IOCs), such as IP addresses or domains linked to Sparkling Pisces infrastructure.

  7. Regular Security Audits and Threat Hunting:

    • Conduct regular security audits to ensure that your defenses are up-to-date and effective against the latest threats.

    • Engage in proactive threat hunting to identify any signs of compromise that may have bypassed existing detection mechanisms. This includes checking for unusual processes or files in sensitive directories like C:\Users\user\AppData\Local\Microsoft\.



0 visualizaciones0 comentarios

Comentários


bottom of page