A backdoor specific to Windows devices has been discovered, delivered via recruitment-themed phishing campaigns. Elastic Security Labs has dubbed the backdoor ‘WARMCOOKIE’ due to data transfer across the HTTP cookie parameter. The phishing campaign delivering the malware utilizes specifically individualized emails that pull information about a target’s employers, current and potentially past, to tailor the bait to suit an individual’s specific interests and skillset. The potential for compromise and further exploitation involved in this backdoor represents a significant threat, especially given the relatively simple nature of the malware, its targeted delivery method and further capability to allow additional actions on objectives.
WARMCOOKIE, as mentioned, uses specific information to target individuals with ‘opportunities’ that would presumably be enticing given the individual’s employment history. Following are screenshots shared by Elastic Security Labs that provide samples for an initial phishing email that could be used in this campaign as well as the landing page that follows after clicking the malicious link within the email. It’s important to note that these are only samples and the actual email and landing page appearances could vary as the campaign progresses.
Phishing Email Sample
Landing Page Sample
As shown in the landing page sample, a given target is prompted for a CAPTCHA solve and once this is entered, download of an obfuscated JavaScript file follows, with Elastic Security Labs indicating the sample obtained during their investigation was named ‘Update_23_04_2024_5689382.js’, and while other sample names collected differed, they followed a similar naming convention.
A PowerShell script is ran following the download of the malicious JS file, which downloads WARMCOOKIE and runs the dynamic link library involved as a backgrounded, autostart executable (using BITS, Background Intelligent Transfer Service). The malware runs with System privileges as a scheduled task to maintain persistence. Static analysis is confounded due to dynamic API loading and targets and identifying strings are protected via encryption.
The host compromised by this malware is fingerprinted, then connection is established with the C2 server, passing values through the HTTP cookie parameter. 7 command handlers are included to allow for command line execution, screenshotting of the target device, file reads and writes and deletion of persistence as necessary, along with several other commands.
This functionality boils down to a simple, lightweight backdoor capable of loading additional malware, ransomware and the like.
Meskauskas, Tomas. “Warmcookie Backdoor Malware.” Www.pcrisk.com, 12 June 2024, www.pcrisk.com/removal-guides/30211-warmcookie-backdoor-malware. Accessed 12 June 2024.
Montalbano, Elizabeth. “WarmCookie Gives Cyberattackers New Backdoor for Initial Access.” Www.darkreading.com, 11 June 2024, www.darkreading.com/cyberattacks-data-breaches/warmcookie-cyberattackers-backdoor-initial-access. Accessed 12 June 2024.
Stepanic, Daniel. “Dipping into Danger: The WARMCOOKIE Backdoor — Elastic Security Labs.” Www.elastic.co, 12 June 2024, www.elastic.co/security-labs/dipping-into-danger. Accessed 12 June 2024.