Malware
ImprudentCook
ImprudentCook is an HTTP(S) downloader. It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1
ImprudentCook is an HTTP(S) downloader.
It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021.
It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.
It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).
It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:
-
iKc;__uid;OAX;DMP_UID;PCID;gid;gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID; utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;gat_gtag_UA;webid enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo
-
channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_ blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain
It contains a string, "5.40" or "5.60", looking like version information.
Family metadata imported from Malpedia (Fraunhofer FKIE).