Ethical Hacking News
New Malware Strains Uncovered: KLogEXE and FPSpy Used in Targeted Attacks by North Korean Hackers
North Korean hackers, attributed to group Kimsuky or APT43, have deployed two new malware strains dubbed KLogExe and FPSpy in targeted attacks. These malware strains represent enhancements to Sparkling Pisces' existing arsenal, highlighting the group's continuous evolution and increasing capabilities.
KLogEXE and FPSpy malware strains were discovered, attributed to North Korean hackers known as Kimsuky (APT43).The group has been active in APT campaigns since 2012.Kimsuky is known for spear phishing attacks and executing complex techniques after initial access.Both KLogEXE and FPSpy demonstrate the group's continuous evolution and increasing capabilities.KLogExe is a C++ version of a keylogger, while FPSpy is a variant of a backdoor.The malware strains share similarities in source code, suggesting shared authorship.The campaigns target Japanese and South Korean organizations.
The cybersecurity landscape has recently been shaken by the revelation of two new malware strains, dubbed KLogEXE and FPSpy, which have been employed by North Korean hackers in targeted attacks. According to a report from Palo Alto Networks Unit 42, these malicious software (malware) strains are part of a broader campaign attributed to the highly sophisticated threat actor known as Kimsuky, also referred to as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.
Kimsuky, or APT43, has been an active player in the world of advanced persistent threats (APTs) for several years, with its origins dating back to at least 2012. The group's ability to execute spear phishing attacks, which involve tricking victims into downloading malware by sending emails that appear to be from trusted sources, has earned it a reputation as the "king of spear phishing." This particular tactic allows the hackers to gain initial access into an organization before progressing with more complex and sophisticated techniques.
The two new malware strains, KLogEXE and FPSpy, are part of this broader campaign. According to Unit 42 researchers Daniel Frank and Lior Rochberger, these samples represent enhancements to Sparkling Pisces' existing arsenal and demonstrate the group's continuous evolution and increasing capabilities.
KLogExe is a C++ version of the PowerShell-based keylogger named InfoKey that was highlighted in connection with another Kimsuky campaign targeting Japanese organizations. This malware comes equipped with capabilities to collect and exfiltrate information about the applications currently running on the compromised workstation, keystrokes typed, and mouse clicks. The presence of this type of keylogging malware is particularly noteworthy as it highlights the hackers' interest in gathering sensitive information from their targets.
On the other hand, FPSpy is described as a variant of the backdoor that AhnLab disclosed in 2022, with overlaps identified to a malware documented under the name KGH_SPY in late 2020. This malicious software (malware) also gathers system information, downloads and executes more payloads, runs arbitrary commands, and enumerates drives, folders, and files on the infected device.
One of the most intriguing aspects of this campaign is the presence of similarities between the source code of both KLogExe and FPSpy, which suggests that these malware strains may have been developed by the same author. This shared authorship underscores the sophistication and organization behind the threat actor's operations, as well as its ability to adapt and evolve in response to changing security measures.
Unit 42 researchers Assaf Dahan notes that Sparkling Pisces' primary targets in this campaign appear to be Japanese and South Korean organizations. While the nature of these campaigns makes it unlikely that they are vastly widespread, the fact that they are targeted at specific countries and industries highlights the hackers' focus on exploiting vulnerabilities within particular sectors.
In summary, the recent discovery of KLogEXE and FPSpy malware strains by Palo Alto Networks Unit 42 reveals a sophisticated campaign attributed to North Korean hackers known as Kimsuky. These malware strains demonstrate the group's increasing capabilities and its ability to evolve in response to changing security measures. The targeted nature of these campaigns highlights the hackers' focus on exploiting vulnerabilities within specific countries and industries.
Related Information:
https://thehackernews.com/2024/09/n-korean-hackers-deploy-new-klogexe-and.html
https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/
https://cloud.google.com/blog/topics/threat-intelligence/apt43-north-korea-cybercrime-espionage
https://www.scmagazine.com/analysis/meet-apt43-the-group-that-hacks-spies-and-steals-for-north-koreas-ruling-elite
https://securityaffairs.com/144499/apt/north-korea-archipelago-apt.html
https://thehackernews.com/2023/06/north-koreas-kimsuky-group-mimics-key.html
https://attack.mitre.org/groups/G0094/
https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/
https://en.wikipedia.org/wiki/Kimsuky
https://thehackernews.com/2024/05/kimsuky-apt-deploying-linux-backdoor.html
https://socprime.com/blog/linux-backdoor-gomir-detection-north-korean-kimsuky-apt-aka-springtail-spreads-new-malware-variant-targeting-south-korean-organizations/
Published: Fri Sep 27 23:48:32 2024 by llama3.2 3B Q4_K_M