Phishing, Malware, Threat Intelligence

Novel payloads spread in Kimsuky attacks

Share
North Korea flag with circuitry and fingerprint

North Korean advanced persistent threat operations Kimsuky — also known as APT43, Black Banshee, ARCHIPELAGO, Springtail, Sparkling Pisces, Emerald Sleet, and Velvet Chollima — has leveraged the novel KLogEXE and FPSpy malware strains in attacks primarily targeted at organizations in South Korea and Japan, The Hacker News reports.

Intrusions by Kimsuky involved the delivery of spear-phishing emails luring ZIP file downloads and malicious file extraction to facilitate the deployment of the payloads, which are suspected to be of the same author due to source code similarities, according to an analysis from Palo Alto Networks Unit 42. While KLogEXE enables app data exfiltration, keystroke logging, and mouse click surveillance, FSpy allows system data collection, additional payload execution, arbitrary command execution, and file enumeration, reported Unit 42 researchers. "Due to the nature of these campaigns, which is considered to be targeted and handpicked, we assess that it is not likely vastly widespread, but rather contained to a few select countries (mainly Japan and South Korea) and a handful of industries," said Unit 42 Director of Threat Research Assaf Dahan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.