Cyber security news for all

More

    North Korean Hackers Unleash New KLogEXE and FPSpy Malware in Precise Attacks

    Cyber adversaries connected to North Korea have been caught deploying two fresh strains of malware, designated KLogEXE and FPSpy.

    These activities have been ascribed to the notorious group known as Kimsuky, which operates under several aliases, including APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.

    “These newly identified samples further enhance Sparkling Pisces’ already formidable toolkit, showcasing the group’s ongoing evolution and expanding technical prowess,” noted Daniel Frank and Lior Rochberger, researchers from Palo Alto Networks’ Unit 42.

    Active since at least 2012, Kimsuky has earned the title “king of spear phishing,” mastering the art of deceiving targets into installing malware by sending seemingly legitimate emails from trusted sources.

    Unit 42’s probe into Sparkling Pisces’ infrastructure has led to the discovery of two portable executables: KLogEXE and FPSpy.

    KLogEXE is essentially a C++ rendition of the PowerShell-based keylogger InfoKey, previously identified by JPCERT/CC in connection with a Kimsuky operation aimed at Japanese entities.

    This malware possesses features enabling it to capture and exfiltrate data concerning active applications on the victim’s machine, record keystrokes, and track mouse clicks.

    FPSpy, on the other hand, is a variant of a backdoor first revealed by AhnLab in 2022, with similarities to malware that Cyberseason documented under the name KGH_SPY back in 2020.

    Beyond its keylogging capabilities, FPSpy is designed to collect system information, download and execute additional malicious payloads, run arbitrary commands, and enumerate the drives, directories, and files on the infected device.

    Unit 42’s research also pointed to notable similarities in the source code of both KLogEXE and FPSpy, hinting that both malware variants were likely crafted by the same developer.

    “Most of the targets we’ve uncovered in our investigation originate from South Korea and Japan, aligning with Kimsuky’s historical focus,” the researchers remarked.

    Recent Articles

    Related Stories