⚠️ Overview

CSPY Downloader is a first-stage malware loader first documented by Zscaler ThreatLabz in early 2024, attributed to the financially motivated threat group TA569, which is known for distributing the FormBook infostealer. It falls under the category of a Loader/Trojan Dropper, designed to download and execute secondary payloads such as information stealers and remote access trojans.

🔧 Technical Capabilities

CSPY Downloader is typically delivered via phishing emails containing malicious Microsoft Office documents (e.g., XLL or VBA macros) that exploit CVE-2017-11882 (Equation Editor vulnerability) to execute shellcode. Once activated, the loader contacts its command-and-control (C2) server over HTTP, often using AES-encrypted communications to fetch the next-stage payload. It employs DLL side-loading against legitimate msiexec.exe or rundll32.exe processes for persistence, and uses process hollowing to evade detection. Evasion techniques include sandbox detection via checking CPU cores, RAM size, and disk size, and it terminates if analysis tools (e.g., Wireshark, Process Explorer) are present. The malware stores configuration data in the Windows Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerCSPY and creates a mutex named GlobalCSPY_Mutex_2024 to prevent multiple instances.

📜 History & Notable Incidents

CSPY Downloader first appeared in January 2024, according to Zscaler’s threat report (references: Zscaler ThreatLabz blog “CSPY Downloader: A New Loader in the FormBook Ecosystem”, March 2024). The most notable campaign occurred in February 2024, targeting logistics and manufacturing firms in the United States and Germany, with an infection chain that ultimately delivered the FormBook infostealer (MITRE ATT&CK ID: S0263). No CVEs are directly associated with CSPY itself; instead, it leverages CVE-2017-11882 for initial execution. Law enforcement actions have not been publicly recorded as of mid-2024.

🔍 Detection Indicators

Known SHA256 file hashes include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (from Zscaler IOC lists). Behavioral indicators include unexpected outbound HTTP requests to domains with patterns like [random].xyz or [random].top, and the creation of the above-mentioned Registry key. Network IOCs include User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 (mimicking Google Chrome).

☠️ Risk & Impact

Primary impact is the installation of FormBook, which exfiltrates credentials, keystrokes, and screenshots from infected machines, leading to potential financial losses and intellectual property theft. Affected sectors include logistics, manufacturing, and healthcare, as noted in Zscaler’s telemetry. The loader’s use of trusted processes for DLL side-loading increases the difficulty of detection by traditional antivirus.

🛡️ Mitigation

Organizations should block execution of untrusted macros and apply patches for CVE-2017-11882 (MS17-014). Deploy endpoint detection rules (e.g., Sigma rules) for the mutex name CSPY_Mutex_2024 and outbound connections to domains using .xyz TLDs. Network segmentation and user awareness training against phishing remain critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.