FPSpy Malware
Threat groups linked to North Korea have been identified utilizing two newly developed tools known as KLogEXE and FPSpy. This activity has been connected to a threat actor referred to as Kimsuky, also recognized under aliases such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail and Velvet Chollima. These fresh tools expand the already considerable toolkit of Sparkling Pisces, reflecting the group's ongoing evolution and growing sophistication.
Table of Contents
A Sophisticated Threat Actor Operating for Over a Decade
Active since at least 2012, the threat actor has been called the 'king of spear phishing' for its ability to trick victims into downloading malware by sending emails that make it seem like they are from trusted parties. Researchers' analysis of Kimsuki's infrastructure has uncovered two new portable executables referred to as KLogEXE and FPSpy.
These malware strains are known to be delivered primarily via spear-phishing attacks. Based on the available information, it appears that the evil operators of this campaign favor social engineering attacks in the form of spear-phishing emails sent to their targets."
These carefully crafted emails have a language designed to lure the targets into downloading a ZIP file attached to the email. The targets are often encouraged to extract corrupted files, which upon execution invoke the infection chain – eventually delivering these malware strains.
FPSpy Is Equipped with Numerous Invasive Capabilities
FPSpy is believed to be a variant of a backdoor first exposed by AhnLab in 2022, showing similarities to a threat documented by Cybereason under the name KGH_SPY in late 2020. Beyond keylogging, FPSpy is designed to collect system details, download and deploy additional payloads, execute arbitrary commands, and scan drives, folders and files on the compromised system.
Meanwhile, KLogExe, another newly identified threat, is a C++ adaptation of a PowerShell-based keylogger called InfoKey, previously flagged by JPCERT/CC in a Kimsuky campaign targeting Japanese entities. This tool is equipped to capture and exfiltrate data about active applications, keystrokes and mouse movements on the affected machine.
A Highly-Targeted Attack Campaign
Cybersecurity experts have identified similarities in the source code of both KLogExe and FPSpy, indicating that they are likely developed by the same author. While Kimsuky has a history of targeting various regions and sectors, this particular campaign seems focused on organizations in Japan and South Korea.
Given the targeted and selective nature of these operations, researchers have concluded that the campaign is unlikely to be widespread. Instead, it appears confined to specific industries and limited primarily to Japan and South Korea.
