ImprudentCook
Intelligence Profile
ImprudentCook is an HTTP(S) downloader.
It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021.
It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.
It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).
It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:
1. iKc;__uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID;__
utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_
enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo
2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_
blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain
It contains a string, "5.40" or "5.60", looking like version information.
Threat Analysis
ImprudentCook is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.