September 26, 2024 at 08:54AM
Threat actors linked to North Korea have introduced two new malware strains, named KLogEXE and FPSpy, as part of their cyber activity. These strains enhance the capabilities of the group known as Sparkling Pisces and are used for espionage and data collection. The targets have mainly been in South Korea and Japan.
From the meeting notes, it is clear that researchers have observed threat actors associated with North Korea utilizing two new malware strains known as KLogEXE and FPSpy. The activity has been attributed to the threat actor group Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, and Velvet Chollima. These malware samples enhance Sparkling Pisces’ arsenal, indicating the group’s continuous evolution and increasing capabilities.
Kimsuky has been active since at least 2012 and is known for spear phishing tactics, where they trick victims into downloading malware by sending seemingly trustworthy emails. Unit 42’s analysis of Sparkling Pisces’ infrastructure has revealed the discovery of two new portable executables, KLogEXE and FPSpy.
KLogExe is a C++ version of the PowerShell-based keylogger named InfoKey. It can collect and exfiltrate information about running applications, keystrokes, and mouse clicks. On the other hand, FPSpy is a variant of a backdoor previously disclosed by AhnLab, capable of keylogging, gathering system information, downloading and executing payloads, running arbitrary commands, and enumerating drives, folders, and files.
Unit 42 has identified similarities in the source code of both KLogExe and FPSpy, suggesting they may be the work of the same author. Moreover, the researchers noted that most targets observed during their research originated from South Korea and Japan, aligning with previous targeting by Kimsuky.
This information provides crucial insights into the evolving tactics and capabilities of the Kimsuky threat actor group, indicating the need for heightened vigilance and proactive measures to mitigate potential cyber threats.