WARMCOOKIE is a new Windows backdoor delivered via a phishing campaign called REF6127. It can take screenshots, deliver additional payloads, and fingerprint systems. “This malware is a serious threat, enabling access to target environments and deployment of more malware,” Elastic Security Labs told Cyber Security News.
WARMCOOKIE Backdoor
Since late April 2024, researchers have observed phishing efforts using recruitment firm lures.
These emails addressed recipients by name and employer, enticing them to click a link to view a job description on an internal system.
After clicking, users are taken to a personalized, authentic-looking landing page where they must complete a CAPTCHA test to download a document. These pages, referencing a new URSNIF variant, resemble earlier campaigns identified by Google Cloud’s security team.
Upon solving the CAPTCHA, an obfuscated JavaScript file is downloaded, which then launches PowerShell to initiate the WARMCOOKIE loading process. PowerShell uses BITS to download and launch WARMCOOKIE.
Researchers found that the IP address 45.9.74[.]135 is used by the threat actor to rapidly create new landing pages. The actor targeted various hiring agencies, incorporating industry-related keywords.
Before making its first outgoing network request, the backdoor collects the following values to identify and fingerprint the target system:
- Volume serial number
- DNS domain
- Computer name
- Username
This malware can take screenshots, allowing it to exploit visible private data and monitor the victim’s computer closely.
Analysts report that threat actors create new infrastructure and domains weekly to support these campaigns.
“Although there are some development issues, we expect these will be resolved over time,” researchers conclude.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment