CSPY Downloader Description
The CSPY Downloader is a new custom-made downloader malware that has been observed to be deployed as part of the arsenal of the North Korean hacker group Kimsuky. The CSPY Downloader serves the role of a first-stage malware dropper that delivers the second-stage malware payload. The CSPY Downloader also runs a wide range of anti-analysis and anti-sandbox techniques designed to hamper any attempts at analyzing the threatening samples.
The CSPY Downloader is propagated through phishing emails carrying poisoned Word docs. The specific document is designed to attract the targeted user's attention by stating that it contains an interview with a North Korean defector that discusses the struggles of living in the country. Once executed, the threatening macros injected into the doc are triggered. They drop and execute the CSPY Downloader as a file named 'winload.exe' onto the victim's computer.
The 'winload.exe file' is packed with UPX and has its timestamp date shifted backward to July 30, 2016. It is signed with an expired certificate attributed to EGIS Co., Ltd, an entity that has already been linked to the Kimsuky hacker group.
The CSPY Downloader Performs Extensive Anti-Analysis Techniques
Before it proceeds to the delivery of the second-stage malware payloads, the CSPY Downloader makes sure that it is not being run in a Virtual Machine environment. The downloader performs some of the same checks that the initial scripts from the weaponized Word doc have already done, showing hackers' commitment to keeping their malware tools secret. CSPY performs a scan for specific virtualization-related modules, specific file paths, Registry keys and memory. It also checks the process of PEB structure. If all of the scans find no matches, the CSPY Downloader will move on to its programming next step; otherwise, it terminates its execution.
Three files are dropped on the compromised machine by CSPY - a main executable file and two potential malware modules. All three payloads are downloaded to the %temp% folder initially but are renamed and moved to different locations quickly. When initiating the main malware payload, CSPY attempts to disguise it as a legitimate Windows service by making the bogus claim that it is needed to support packed applications. To run the threatening binary with elevated privileges, the downloader employs a technique that allows it to bypass the Windows User Account Control (UAC) service by exploiting the SilentCleanup task.
When the CSPY Downloader has finished performing its tasks, it simply deletes itself from the compromised machine.