Skip to content

S0527 CSPY Downloader

CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.1

Item Value
ID S0527
Associated Names
Version 1.0
Created 09 November 2020
Last Modified 18 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols CSPY Downloader can use GET requests to download additional payloads from C2.1
enterprise T1070 Indicator Removal CSPY Downloader has the ability to remove values it writes to the Registry.1
enterprise T1070.004 File Deletion CSPY Downloader has the ability to self delete.1
enterprise T1105 Ingress Tool Transfer CSPY Downloader can download additional tools to a compromised host.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.1
enterprise T1112 Modify Registry CSPY Downloader can write to the Registry under the %windir% variable to execute tasks.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing CSPY Downloader has been packed with UPX.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task CSPY Downloader can use the schtasks utility to bypass UAC.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing CSPY Downloader has come signed with revoked certificates.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File CSPY Downloader has been delivered via malicious documents with embedded macros.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks CSPY Downloader can search loaded modules, PEB structure, file paths, Registry keys, and memory to determine if it is being debugged or running in a virtual environment.1

Groups That Use This Software

ID Name References
G0094 Kimsuky 1