SYMBOLCOMMON_NAMEaka. SYNONYMS
win.imprudentcook (Back to overview)

ImprudentCook

Actor(s): Lazarus Group

VTCollection    

ImprudentCook is an HTTP(S) downloader.

It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021.

It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.

It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).

It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:

1. iKc;__uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID;__
utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_
enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo

2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_
blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain

It contains a string, "5.40" or "5.60", looking like version information.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2021-05-13AhnLabAhnLab ASEC Analysis Team
APT attack for domestic companies using library files
ImprudentCook
Yara Rules
[TLP:WHITE] win_imprudentcook_auto (20230808 | Detects win.imprudentcook.)
rule win_imprudentcook_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.imprudentcook."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.imprudentcook"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d3c0b 483bf9 4983d200 4883ee18 4d03da 4d03d9 48ffcd }
            // n = 7, score = 100
            //   488d3c0b             | test                ebx, ebx
            //   483bf9               | inc                 ecx
            //   4983d200             | setns               dh
            //   4883ee18             | mov                 eax, 1
            //   4d03da               | nop                 word ptr [eax + eax]
            //   4d03d9               | dec                 esp
            //   48ffcd               | mov                 ecx, eax

        $sequence_1 = { 4983c708 4983c508 48ffc9 75ec 49894500 488b5520 488d4fff }
            // n = 7, score = 100
            //   4983c708             | mov                 ecx, dword ptr [esi]
            //   4983c508             | dec                 ecx
            //   48ffc9               | lea                 edx, [esp - 1]
            //   75ec                 | dec                 ecx
            //   49894500             | lea                 eax, [esi + 8]
            //   488b5520             | dec                 eax
            //   488d4fff             | test                edx, edx

        $sequence_2 = { 4d8bc4 498bd2 eb08 4c89642420 4c8bc7 }
            // n = 5, score = 100
            //   4d8bc4               | dec                 eax
            //   498bd2               | shr                 ebp, 0x20
            //   eb08                 | dec                 ecx
            //   4c89642420           | imul                ecx, eax
            //   4c8bc7               | dec                 eax

        $sequence_3 = { 488d04ed00000000 4c03f5 4803f5 48ffc3 4c03f8 4c3bf7 7ec8 }
            // n = 7, score = 100
            //   488d04ed00000000     | dec                 eax
            //   4c03f5               | mov                 ecx, esi
            //   4803f5               | mov                 eax, dword ptr [esp + 0x80]
            //   48ffc3               | inc                 eax
            //   4c03f8               | inc                 esp
            //   4c3bf7               | sub                 ecx, eax
            //   7ec8                 | mov                 dword ptr [esp + 0x80], eax

        $sequence_4 = { 4c8bcf 4d8bc5 498bd4 e8???????? 488b9580000000 41b901000000 4d8bc6 }
            // n = 7, score = 100
            //   4c8bcf               | dec                 ecx
            //   4d8bc5               | add                 edx, ecx
            //   498bd4               | dec                 ecx
            //   e8????????           |                     
            //   488b9580000000       | add                 edx, edx
            //   41b901000000         | dec                 eax
            //   4d8bc6               | sub                 edx, ebx

        $sequence_5 = { 4d3bfe 0f8c45ffffff 4c8bac2488000000 4f8d7c2d00 498bde 4d3bf7 }
            // n = 6, score = 100
            //   4d3bfe               | dec                 eax
            //   0f8c45ffffff         | mov                 edx, dword ptr [esp + 0x50]
            //   4c8bac2488000000     | dec                 eax
            //   4f8d7c2d00           | mov                 edx, dword ptr [esp + 0x60]
            //   498bde               | dec                 esp
            //   4d3bf7               | mov                 eax, dword ptr [esp + 0x68]

        $sequence_6 = { 8807 e9???????? 81fb0b000100 0f8dfb030000 81fb0000007e 0f87f7030000 85db }
            // n = 7, score = 100
            //   8807                 | test                ecx, ecx
            //   e9????????           |                     
            //   81fb0b000100         | jg                  0x555
            //   0f8dfb030000         | inc                 ebp
            //   81fb0000007e         | test                edi, edi
            //   0f87f7030000         | jle                 0x82d
            //   85db                 | dec                 edx

        $sequence_7 = { 4803c2 48c1f806 488bf8 488bd8 488b8424c0000000 4c8d1cf8 48c1e306 }
            // n = 7, score = 100
            //   4803c2               | dec                 ebp
            //   48c1f806             | cmp                 ecx, eax
            //   488bf8               | jae                 0x1659
            //   488bd8               | dec                 eax
            //   488b8424c0000000     | mov                 eax, 0
            //   4c8d1cf8             | add                 dword ptr [eax], eax
            //   48c1e306             | add                 byte ptr [eax], al

        $sequence_8 = { 4833c2 482bc2 488bd3 493bc2 7d1a 4c895c2428 4c89442420 }
            // n = 7, score = 100
            //   4833c2               | nop                 word ptr [eax + eax]
            //   482bc2               | dec                 esp
            //   488bd3               | mov                 dword ptr [edi], esp
            //   493bc2               | dec                 esp
            //   7d1a                 | lea                 esp, [ebx + 1]
            //   4c895c2428           | dec                 ebp
            //   4c89442420           | mov                 eax, esp

        $sequence_9 = { e9???????? 48ffcd b938000000 90 488bc3 48d3e8 84c0 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   48ffcd               | test                ecx, ecx
            //   b938000000           | dec                 eax
            //   90                   | mov                 ecx, edi
            //   488bc3               | dec                 esp
            //   48d3e8               | lea                 esp, [0x121dd]
            //   84c0                 | dec                 esp

    condition:
        7 of them and filesize < 864256
}
Download all Yara Rules