Dipping into Danger: The WARMCOOKIE backdoor
Summary:
Since April 2024, researchers at Elastic Security Labs have observed a wave of phishing campaigns using recruiting and job-themed lures to distribute a novel backdoor called WARMCOOKIE. The attack chain initiates with emails enticing victims to pursue new job opportunities by clicking on a link to an internal system to view a job description. If the victim falls for the lure, they are directed to a landing page that resembles a legitimate page specially crafted for them. Here the victim is prompted to download a document by solving a CAPTCHA challenge, which once solved initiates the download of an obfuscated JavaScript file. The obfuscated file is designed to run a PowerShell script, ultimately leading to the deployment of WARMCOOKIE.
Security Officer Comments:
According to Elastic Security Labs, the actors behind the latest campaign are deploying new domains and infrastructure weekly as a means of avoiding detection and maintaining their operations with minimal disruptions. Using tools like urlscan and VirusTotal, researchers observed several new landing pages being generated on a single IP address. These landing pages are curated to mimic legitimate job recruiting platforms like Michael Page, Jays, PageGroup, etc., with the goal of infecting victims with WARMCOOKIE.
WARMCOOKIE is believed to be a newer version of an unnamed sample (resident2[.]exe) that was uncovered by eSentire, with similar features including the implementation of string obfuscation but differing functionality. For its part, WARMCOOKIE is used to scout out victim networks and deploy additional payloads. It comes with a limited number of capabilities including the ability to retrieve victim information, capture screenshots via Windows native tools, execute arbitrary commands, read file content from infected machines, etc.
Suggested Corrections:
Phishing appears to be the primary infection vector for WARMCOOKIE. To avoid falling victim, users should exercise caution and avoid clicking on links in unsolicited emails, especially those advertising job opportunities. Instead, use reputable platforms such as LinkedIn and Indeed for job searches. Additionally, it is advisable to visit the official website of the company you are interested in directly for job listings and information.
Elastic Security Labs has published YARA rules and IOCs which can be used for detecting WARMCOOKIE
Link(s):
https://www.elastic.co/security-labs/dipping-into-danger