info@thehackernews.com (The Hacker News)
2024-09-26 08:28:00
thehackernews.com
Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy.
The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.
“These samples enhance Sparkling Pisces’ already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities,” Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger said.
Active since at least 2012, the threat actor has been called the “king of spear phishing” for its ability to trick victims into downloading malware by sending emails that make it seem like they are from trusted parties.
Unit 42’s analysis of Sparkling Pisces’ infrastructure has uncovered two new portable executables referred to as KLogEXE and FPSpy.
KLogExe is a C++ version of the PowerShell-based keylogger named InfoKey that was highlighted by JPCERT/CC in connection with a Kimsuky campaign targeting Japanese organizations.
The malware comes equipped with capabilities to collect and exfiltrate information about the applications currently running on the compromised workstation, keystrokes typed, and mouse clicks.
On the other hand, FPSpy is said to be a variant of the backdoor that AhnLab disclosed in 2022, with overlaps identified to a malware that Cyberseason documented under the name KGH_SPY in late 2020.
FPSpy, in addition to keylogging, is also engineered to gather system information, download and execute more payloads, run arbitrary commands, and enumerate drives, folders, and files on the infected device.
Unit 42 said it was also able to identify points of similarities in the source code of both KLogExe and FPSpy, suggesting that they are likely the work of the same author.
“Most of the targets we observed during our research originated from South Korea and Japan, which is congruent with previous Kimsuky targeting,” the researchers said.
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.