Win32/Coswid

June 14, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Continuing the research on the last spearphishing campaign we published yesterday,  we found that the same group is using another downloader named Win32/Coswid. The dropper is similar to the one we described in the previous report.

The main difference is that instead of using an html file to hide the configuration, it gets the config values from a PNG file.

Once running, the dropper will send a request to a remote server and will try to download the PNG file.

We noted that the first part of the User-Agent header is the name of the computer running the dropper and the second part is a static string as seen in the code:

This is useful to write an IDS signature based on the User-Agent. You can also find an anomaly on the Accept header (*/*,,,,,).

The PNG file is a valid image:

But if you open the file you will find something interesting at the end of that file:

The dropper scans the file for content between “<!—” and “—!>” and performs a base64 decode. This version of the dropper supports only two commands:

- s [sleep], example s:20

- d [download], example: d:173.10.48.242 /html/AcroRd32.gif

If the dropper finds the download command, it will grab the file specified on the configuration entry. Then it will decrypt and execute it.

There are IDS rules on both Snort Sourcefire and EmergingThreats Pro to cover the HTTP requests:

1:22103 <-> ENABLED <-> BACKDOOR Win32.Coswid.klk runtime detection (backdoor.rules)

2804876 - ETPRO TROJAN Win32/Coswid.A Checkin (trojan.rules)

We have found several configuration files containing the following values:

d:173.10.48.242/html/AcroRd32.gif

d:66.109.23.156 /temp/smss.gif

d:66.109.23.156 /images/update.gif

d:65.105.157.28 /mama/winupdate.gif

d:69.84.35.39 /netaphex/Acrod32.gif

d:69.84.35.39 /netaphex/Acrod.gif

d:69.84.35.39 /netaphex/update.gif

d:69.84.35.39 /netaphex/google.gif

d:yulepx.com /inc/update.gif

Most of these payloads are the same trojan discussed in our previous analysis and also known as Trojan.Cookies.

Some of the Coswid files we were able to find are:

726ef24b8eff4c4121c73861756fb9a3

a4ba6540520c375875bf46cf8e19cb7d

09fd067b6d944bf111857f6f60b7471e

b5cf509ec072aa281e5bdb1f7c7a36ea

06cd694d383e4951e274878b975b5785

eab862be60fdfe98ce415d38e41889bf

f791d1ad81601aac3e3d32a683189c06

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL