Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy.
The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.
“These samples enhance Sparkling Pisces’ already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities,” Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger said.
Active since at least 2012, the threat actor has been called the “king of spear phishing” for its ability to trick victims into downloading malware by sending emails that make it seem like they are from trusted parties.
Unit 42’s analysis of Sparkling Pisces’ infrastructure has uncovered two new portable executables referred to as KLogEXE and FPSpy.
KLogExe is a C++ version of the PowerShell-based keylogger named InfoKey that was highlighted by JPCERT/CC in connection with a Kimsuky campaign targeting Japanese organizations.
The malware comes equipped with capabilities to collect and exfiltrate information about the applications currently running on the compromised workstation, keystrokes typed, and mouse clicks.
On the other hand, FPSpy is said to be a variant of the backdoor that AhnLab disclosed in 2022, with overlaps identified to a malware that Cyberseason documented under the name KGH_SPY in late 2020.
FPSpy, in addition to keylogging, is also engineered to gather system information, download and execute more payloads, run arbitrary commands, and enumerate drives, folders, and files on the infected device.
Unit 42 said it was also able to identify points of similarities in the source code of both KLogExe and FPSpy, suggesting that they are likely the work of the same author.
“Most of the targets we observed during our research originated from South Korea and Japan, which is congruent with previous Kimsuky targeting,” the researchers said.
