KLogExe (Infostealer) – Malware

Overview

KLogEXE is a sophisticated piece of malware discovered as part of a broader cyber espionage campaign attributed to the North Korean APT group, Sparkling Pisces (also known as Kimsuky). This keylogger, while undocumented prior to its discovery, represents an evolution of Sparkling Pisces’s cyberattack capabilities, demonstrating the group’s ability to innovate and adapt their tactics. The malware is designed to quietly infiltrate targeted systems, collect sensitive data, and exfiltrate it to the attacker’s command and control (C2) infrastructure. KLogEXE’s primary function is to record keystrokes, mouse clicks, and monitor running applications, making it a powerful tool for gathering intelligence from compromised machines. The malware operates by saving the collected data into a local file before exfiltrating it in a highly controlled manner. Once the file reaches a size threshold, KLogEXE compresses and sends the data to the attacker’s C2 server via an HTTP POST request. This exfiltration process is executed through a unique URI, which is indicative of the malware’s custom-built infrastructure. KLogEXE’s C++ codebase, coupled with its stealthy operation, enables it to operate unnoticed on compromised systems, highlighting the group’s continued investment in developing sophisticated, hard-to-detect malware tools.

Targets

Educational sercvices Public Administration Information Manufacturing

How they operate

Once deployed, KLogEXE silently records the user’s interactions with the system. Using the Windows API, the malware tracks keystrokes by utilizing the GetAsyncKeyState method. This method monitors key presses at a low level, allowing the malware to capture every keystroke made on the compromised system. Additionally, KLogEXE records mouse events, specifically monitoring mouse clicks and identifying which buttons are pressed. These actions are stored locally in an INI file, typically located in the directory C:\Users\user\AppData\Roaming\Microsoft\desktops.ini. The INI file serves as the storage location for the captured data, where keystrokes, mouse clicks, and application data are saved. To prevent detection and to manage the sheer volume of captured data, KLogEXE implements a method to handle data exfiltration. When the data file reaches a specific size limit, the malware appends a date to the file name and generates a random boundary to obscure the data. The newly created file is then exfiltrated to the attacker’s command and control (C2) server over HTTP, using a POST request. The data is sent to a server through a unique URI path: /wp-content/include.php?_sys_=7. This custom URI pattern ensures that KLogEXE’s traffic is difficult to distinguish from legitimate web traffic, providing an additional layer of stealth to the exfiltration process. In terms of infrastructure, KLogEXE communicates with a specific C2 server, which is configured to accept incoming connections and process the stolen data. The malware sends the stolen data in a structured format, making it easy for the attackers to parse and utilize the information. This functionality is consistent with Sparkling Pisces’s typical tactics, where data is often exfiltrated in stages to avoid detection by network monitoring tools. The ability to compress and split data before exfiltration ensures that KLogEXE remains undetected for longer periods, even in environments with active security monitoring. The technical sophistication of KLogEXE highlights its role in Sparkling Pisces’s larger cyber espionage campaigns. By integrating advanced data collection and exfiltration techniques, KLogEXE serves as a powerful tool for gathering intelligence from targeted organizations. Its use of custom-built infrastructure, stealthy operation, and data management strategies makes it a highly effective piece of malware for its operators. As Sparkling Pisces continues to evolve its tools and tactics, understanding the technical underpinnings of KLogEXE provides valuable insight for organizations aiming to defend against this persistent and sophisticated threat actor.  

References

• Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy