S0527 CSPY Downloader
CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.1
| Item | Value |
|---|---|
| ID | S0527 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 09 November 2020 |
| Last Modified | 18 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | CSPY Downloader can use GET requests to download additional payloads from C2.1 |
| enterprise | T1070 | Indicator Removal | CSPY Downloader has the ability to remove values it writes to the Registry.1 |
| enterprise | T1070.004 | File Deletion | CSPY Downloader has the ability to self delete.1 |
| enterprise | T1105 | Ingress Tool Transfer | CSPY Downloader can download additional tools to a compromised host.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.1 |
| enterprise | T1112 | Modify Registry | CSPY Downloader can write to the Registry under the %windir% variable to execute tasks.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | CSPY Downloader has been packed with UPX.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | CSPY Downloader can use the schtasks utility to bypass UAC.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | CSPY Downloader has come signed with revoked certificates.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | CSPY Downloader has been delivered via malicious documents with embedded macros.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | CSPY Downloader can search loaded modules, PEB structure, file paths, Registry keys, and memory to determine if it is being debugged or running in a virtual environment.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0094 | Kimsuky | 1 |