Article Details
Scrape Timestamp (UTC): 2024-09-26 12:34:27.571
Source: https://thehackernews.com/2024/09/n-korean-hackers-deploy-new-klogexe-and.html
Original Article Text
Click to Toggle View
N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks. Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy. The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. "These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group's continuous evolution and increasing capabilities," Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger said. Active since at least 2012, the threat actor has been called the "king of spear phishing" for its ability to trick victims into downloading malware by sending emails that make it seem like they are from trusted parties. Unit 42's analysis of Sparkling Pisces' infrastructure has uncovered two new portable executables referred to as KLogEXE and FPSpy. KLogExe is a C++ version of the PowerShell-based keylogger named InfoKey that was highlighted by JPCERT/CC in connection with a Kimsuky campaign targeting Japanese organizations. The malware comes equipped with capabilities to collect and exfiltrate information about the applications currently running on the compromised workstation, keystrokes typed, and mouse clicks. On the other hand, FPSpy is said to be a variant of the backdoor that AhnLab disclosed in 2022, with overlaps identified to a malware that Cyberseason documented under the name KGH_SPY in late 2020. FPSpy, in addition to keylogging, is also engineered to gather system information, download and execute more payloads, run arbitrary commands, and enumerate drives, folders, and files on the infected device. Unit 42 said it was also able to identify points of similarities in the source code of both KLogExe and FPSpy, suggesting that they are likely the work of the same author. "Most of the targets we observed during our research originated from South Korea and Japan, which is congruent with previous Kimsuky targeting," the researchers said.
Daily Brief Summary
North Korean-linked threat group Kimsuky has deployed two new malware types, KLogEXE and FPSpy, targeting entities primarily in South Korea and Japan.
Kimsuky, also known under various aliases including APT43 and Velvet Chollima, has been active since 2012 and is noted for its spear phishing expertise.
The newly discovered malware strains show significant advancements in Kimsuky's operational capabilities, enhancing their technical arsenal for espionage.
KLogEXE, developed in C++, is a sophisticated keylogger designed to monitor and transmit data on user keystrokes, mouse actions, and running applications.
FPSpy serves as a multifunctional backdoor capable of extracting system information, downloading further payloads, and executing arbitrary commands.
Both KLogEXE and FPSpy share similar source codes, indicating they were likely developed by the same authors within the Kimsuky group.
Research by Palo Alto Networks' Unit 42 has played a crucial role in identifying these threats and providing insights into their functionalities and targets.