CSPY Downloader

The CSPY Downloader is a new malware implant that has been used by the Lazarus Advanced Persistent Threat (APT) group (also known as Kimsuky and Hidden Cobra) in their recent attacks against institutions and organizations involved in the development of COVID-19 vaccines. The CSPY Downloader was usually deployed as a first-stage implant whose purpose was to gather basic system information and to ensure that the coast is clear for a secondary payload to be delivered – the new KGH Malware implant.

The CSPY Downloader is delivered to its intended targets via spear-phishing emails concerning popular topics in the targeted region. One campaign involved fake interviews from a non-existent North Korean defector, while others pretended to be from a high-profile recipient like the Japanese Prime Minister. All emails contained a corrupted document attachment loaded with a macro script. The latter script is meant to deploy the CSPY Downloader and set off this Trojan downloader's attack.

The primary goal of the CSPY Downloader is to download a secondary payload, but it will only do this after it performs a series of checks meant to help it stay away from virtual environments and systems used for malware analysis. It is important to note that the anti-VM features are not exclusive to the CSPY Downloader – even the document used to run the downloader will check for Virtual Machine properties before deploying the CSPY Downloader. Clearly, the APT actors are very dedicated to avoiding honeypots and systems used for malware analysis.

The previously undocumented CSPY Downloader has, so far, only been used in combination with the KGH Malware. However, it is very likely that the threat actors behind the campaign will soon involve it in their other operations, especially considering the amount of effort that probably went into developing CSPY Downloader's anti-VM features.