HQ/EMEAFind out how we can help your business
French users are the current target of a new FakeUpdate campaign that spreads the latest version of the WarmCookie malware.
According to reports, the threat actors use hijacked websites to display fake browser and application updates that spread a backdoor. The researchers who discovered the campaign confirmed that the new malware spreads as bogus Google Chrome, Mozilla Firefox, MS Edge, and Java upgrades.
Researchers initially identified WarmCookie in 2023 as a Windows backdoor recently deployed in phishing attacks that used false job offers as bait. The assessment of the malware shows various capabilities that include data and file theft, device profiling, app enumeration, arbitrary command execution, screenshot capture, and introducing new payloads on the infected system.
The latest WarmCookie malware variant in this new malicious campaign has showcased additional functionalities.
The investigation of the new FakeUpdate campaign showed that the latest WarmCookie malware has new features, such as the ability to deploy DLLs from the temp folder, return the output and transfer and execute EXE and PowerShell files.
On the other hand, researchers warn users about these fake browser updates. Reports revealed that threat actors use the FakeUpdate attack as a lure to initiate the infection. However, new tactics emerged, including a website offering a fraudulent Java update as part of this campaign.
The infection process commonly starts with the user clicking on a fake browser update notification, which activates JavaScript, downloads the WarmCookie installer, and then prompts targeted users to save the file.
Once the fake software update is executed, the malware runs anti-VM checks to ensure it is not operating on an analysis system. It then sends the newly infected system’s fingerprint to the C2 server and waits for further instructions.
Although the researchers claim that the attackers use hacked websites in this campaign, several domains in the IoC section appear to have been purposefully selected to complement the ‘FakeUpdate’ concept. Users should always remember that new browsers automatically update once a new version becomes available.
Also, a program restart may be required to apply an update to the browser. Hence, manually downloading and executing updater packages is never part of the update process and should be considered malicious.
FakeUpdate campaigns typically compromise reputable and widely used websites. Therefore, users should be wary of these pop-ups even when using a familiar platform.
