A novel Windows malware named ‘Warmcookie’ is being distributed through fake job offer phishing campaigns to infiltrate corporate networks.
According to Elastic Security Labs, which uncovered this new threat, Warmcookie can perform extensive machine fingerprinting, capture screenshots, and deploy additional payloads.
The campaign is ongoing, with threat actors creating new domains weekly to support their malicious operations, utilizing compromised infrastructure to send phishing emails
The phishing campaign uses fake job and recruitment offers sent via emails with attention-grabbing subjects. The emails target individuals with personalized touches, including their names and the names of their current employers.
The phishing email
Source: Elastic
The emails contain a link purportedly for an internal recruitment platform where the job description can be viewed. However, this link redirects users to landing pages that mimic legitimate platforms.
Deceptive landing page
Source: Elastic
To add legitimacy, these fake pages prompt the victim to solve a CAPTCHA before downloading a heavily obfuscated JavaScript file with a name similar to ‘Update_23_04_2024_5689382’.
When executed, the JavaScript file runs a PowerShell script that uses the Background Intelligent Transfer Service (BITS) to download the Warmcookie DLL file from a specified URL and execute it via rundll32.exe.
The Warmcookie payload is copied to C:\ProgramData\RtlUpd\RtlUpd.dll, and upon first execution, it creates a scheduled task named ‘RtlUpd’ that runs every 10 minutes.
Warmcookie’s scheduled task
Source: Elastic
In the final setup phase, Warmcookie establishes communication with its command and control (C2) server and begins fingerprinting the victim’s machine.
Attack chain overview
Source: Elastic
Warmcookie capabilities
Warmcookie is a backdoor malware with various capabilities designed to infiltrate, persist, and gather intelligence from victim systems.
In the first stage of its operation, it collects key information about the infected host, including volume serial number, DNS domain, computer name, and username. It then encrypts and sends this data to the C2 server through the HTTP cookie parameter.
Warmcookie’s main capabilities include:
- Retrieving victim information such as IP address and CPU details
- Capturing screenshots using Windows native tools
- Enumerating installed programs via the registry key
- Executing arbitrary commands using ‘cmd.exe’ and sending the output to the C2
- Dropping files in specified directories/paths
- Reading the contents of specified files and sending the content to the C2
Screenshot taken by Warmcookie
Source: Elastic
All received commands are processed through an integrity check using CRC32 checksums to ensure they haven’t been tampered with.
Additionally, the malware checks the number of CPU processors and physical/virtual memory values. If they are below certain thresholds, the malware won’t run, aiming to evade analysis environments.
Elastic’s analysts comment that despite being a new backdoor with plenty of room for improvement, Warmcookie is already capable of inflicting significant damage on its targets, especially given its capability to introduce additional payloads.
Source: BleepingComputer, Bill Toulas
