Continuing the research on the last spearphishing campaign we published yesterday, we found that the same group is using another downloader named Win32/Coswid. The dropper is similar to the one we described in the previous report.
The main difference is that instead of using an html file to hide the configuration, it gets the config values from a PNG file.
Once running, the dropper will send a request to a remote server and will try to download the PNG file.
We noted that the first part of the User-Agent header is the name of the computer running the dropper and the second part is a static string as seen in the code:
This is useful to write an IDS signature based on the User-Agent. You can also find an anomaly on the Accept header (*/*,,,,,).
The PNG file is a valid image:
But if you open the file you will find something interesting at the end of that file:
The dropper scans the file for content between “<!—” and “—!>” and performs a base64 decode. This version of the dropper supports only two commands:
- s [sleep], example s:20
- d [download], example: d:126.96.36.199 /html/AcroRd32.gif
If the dropper finds the download command, it will grab the file specified on the configuration entry. Then it will decrypt and execute it.
There are IDS rules on both Snort Sourcefire and EmergingThreats Pro to cover the HTTP requests:
1:22103 <-> ENABLED <-> BACKDOOR Win32.Coswid.klk runtime detection (backdoor.rules)
2804876 - ETPRO TROJAN Win32/Coswid.A Checkin (trojan.rules)
We have found several configuration files containing the following values:
Most of these payloads are the same trojan discussed in our previous analysis and also known as Trojan.Cookies.
Some of the Coswid files we were able to find are: