The CSPY Downloader is a new malware implant that has been used by the Lazarus Advanced Persistent Threat (APT) group (also known as Kimsuky and Hidden Cobra) in their recent attacks against institutions and organizations involved in the development of COVID-19 vaccines. The CSPY Downloader was usually deployed as a first-stage implant whose purpose was to gather basic system information and to ensure that the coast is clear for a secondary payload to be delivered – the new KGH Malware implant.
The CSPY Downloader is delivered to its intended targets via spear-phishing emails concerning popular topics in the targeted region. One campaign involved fake interviews from a non-existent North Korean defector, while others pretended to be from a high-profile recipient like the Japanese Prime Minister. All emails contained a corrupted document attachment loaded with a macro script. The latter script is meant to deploy the CSPY Downloader and set off this Trojan downloader's attack.
The primary goal of the CSPY Downloader is to download a secondary payload, but it will only do this after it performs a series of checks meant to help it stay away from virtual environments and systems used for malware analysis. It is important to note that the anti-VM features are not exclusive to the CSPY Downloader – even the document used to run the downloader will check for Virtual Machine properties before deploying the CSPY Downloader. Clearly, the APT actors are very dedicated to avoiding honeypots and systems used for malware analysis.
The previously undocumented CSPY Downloader has, so far, only been used in combination with the KGH Malware. However, it is very likely that the threat actors behind the campaign will soon involve it in their other operations, especially considering the amount of effort that probably went into developing CSPY Downloader's anti-VM features.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to CSPY Downloader may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.Download SpyHunter's Malware Scanner*
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.