Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy.
The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.
“These samples enhance Sparkling Pisces’ already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities,” Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger said.
Active since at least 2012, the threat actor has been called the “king of spear-phishing” for its ability to trick victims into downloading malware by sending emails that make it seem like they are from trusted parties.
Unit 42’s analysis of Sparkling Pisces’ infrastructure has uncovered two new portable executables referred to as KLogEXE and FPSpy.
“These malware strains are known to be delivered primarily via spear-phishing attacks,” Assaf Dahan, Director of Threat Research at Unit 42, Palo Alto Networks, told The Hacker News via email.
“Based on the information available to us, it appears that the operators of Sparkling Pisces in this campaign favor social engineering attacks in the form of spear-phishing emails sent to their targets.”
“These carefully crafted emails have a language designed to lure the targets into downloading a ZIP file attached to the email. The targets are often encouraged to extract malicious files, which upon execution invoke the infection chain – eventually delivering these malware strains.”
KLogExe is a C++ version of the PowerShell-based keylogger named InfoKey that was highlighted by JPCERT/CC in connection with a Kimsuky campaign targeting Japanese organizations.
The malware comes equipped with capabilities to collect and exfiltrate information about the applications currently running on the compromised workstation, keystrokes typed, and mouse clicks.
On the other hand, FPSpy is said to be a variant of the backdoor that AhnLab disclosed in 2022, with overlaps identified to a malware that Cyberseason documented under the name KGH_SPY in late 2020.
FPSpy, in addition to keylogging, is also engineered to gather system information, download and execute more payloads, run arbitrary commands, and enumerate drives, folders, and files on the infected device.
Unit 42 said it was also able to identify points of similarities in the source code of both KLogExe and FPSpy, suggesting that they are likely the work of the same author.
“While Sparkling Pisces (aka Kimsuky) has previously attacked multiple regions and industries, their primary targets in this campaign appear to be Japanese and South Korean organizations,” Dahan said.
“Due to the nature of these campaigns, which is considered to be targeted and handpicked, we assess that it is not likely vastly widespread, but rather contained to a few select countries (mainly Japan and South Korea) and a handful of industries.”
(The story was updated after publication to include responses from Palo Alto Networks Unit 42.)