Attackers linked to North Korea have been seen using two new varieties of malware, dubbed KLogEXE and FPSpy.
The activity was attributed to an adversary tracked as Kimsukiwhich is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail and Velvet Chollima.
“These samples expand Sparkling Pisces’ already extensive arsenal and demonstrate the group’s continued evolution and increasing capabilities,” Palo Alto Networks Division 42 researchers Daniel Frank and Lior Rochberger said.
Active since at least 2012, the threat has been dubbed the “king of phishing” for its ability to trick victims into downloading malware sending emails which gives the impression that they are from reliable parties.
Unit 42’s analysis of the Sparkling Pisces infrastructure revealed two new portable executables called KLogEXE and FPSpy.
KLogExe is a C++ version of a PowerShell-based keylogger called InfoKey that was highlighted JPCERT/CC in connection with Kimsuky campaign targeting Japanese organizations.
The malware is equipped with capabilities to collect and steal information about the programs currently running on the compromised workstation, keystrokes and mouse clicks.
On the other hand, FPSpy is considered a backdoor variant of AhnLab opened in 2022, with overlaps identified with malware that Cyberseason documented as KGH_SPY at the end of 2020.
FPSpy, in addition to keylogging, is also designed to collect system information, download and execute additional payloads, execute arbitrary commands, and list drives, folders, and files on an infected device.
Unit 42 said it was also able to detect points of similarity in the source code of KLogExe and FPSpy, suggesting that they are likely the work of the same author.
“Most of the targets we observed during our study originated from South Korea and Japan, which is consistent with previous targeting of Kimsuki,” the researchers said.
