CSPY Downloader
CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.[1] |
| Enterprise | T1112 | 修改注册表 |
CSPY Downloader can write to the Registry under the |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
CSPY Downloader can use GET requests to download additional payloads from C2.[1] |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing |
CSPY Downloader has been packed with UPX.[1] |
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.[1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
CSPY Downloader has been delivered via malicious documents with embedded macros.[1] |
| Enterprise | T1070 | 移除指标 |
CSPY Downloader has the ability to remove values it writes to the Registry.[1] |
|
| .004 | File Deletion |
CSPY Downloader has the ability to self delete.[1] |
||
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
CSPY Downloader can search loaded modules, PEB structure, file paths, Registry keys, and memory to determine if it is being debugged or running in a virtual environment.[1] |
| Enterprise | T1105 | 输入工具传输 |
CSPY Downloader can download additional tools to a compromised host.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
CSPY Downloader can use the schtasks utility to bypass UAC.[1] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
CSPY Downloader has come signed with revoked certificates.[1] |