June 14, 2012 | Jaime Blasco

Continuing the research on the last spearphishing campaign we published yesterday,  we found that the same group is using another downloader named Win32/Coswid. The dropper is similar to the one we described in the previous report.

The main difference is that instead of using an html file to hide the configuration, it gets the config values from a PNG file.

Once running, the dropper will send a request to a remote server and will try to download the PNG file.

We noted that the first part of the User-Agent header is the name of the computer running the dropper and the second part is a static string as seen in the code:

This is useful to write an IDS signature based on the User-Agent. You can also find an anomaly on the Accept header (*/*,,,,,).

The PNG file is a valid image:

But if you open the file you will find something interesting at the end of that file:

The dropper scans the file for content between “<!—” and “—!>” and performs a base64 decode. This version of the dropper supports only two commands:

- s [sleep], example s:20

- d [download], example: d: /html/AcroRd32.gif

If the dropper finds the download command, it will grab the file specified on the configuration entry. Then it will decrypt and execute it.

There are IDS rules on both Snort Sourcefire and EmergingThreats Pro to cover the HTTP requests:

1:22103 <-> ENABLED <-> BACKDOOR Win32.Coswid.klk runtime detection (backdoor.rules)

2804876 - ETPRO TROJAN Win32/Coswid.A Checkin (trojan.rules)

We have found several configuration files containing the following values:


d: /temp/smss.gif

d: /images/update.gif

d: /mama/winupdate.gif

d: /netaphex/Acrod32.gif

d: /netaphex/Acrod.gif

d: /netaphex/update.gif

d: /netaphex/google.gif /inc/update.gif

Most of these payloads are the same trojan discussed in our previous analysis and also known as Trojan.Cookies.

Some of the Coswid files we were able to find are:








Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Get price Free trial