Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

WARMCOOKIE (Backdoor) – Malware

June 14, 2024
Reading Time: 29 mins read
in Malware
WARMCOOKIE (Backdoor) – Malware

WARMCOOKIE

Type of Malware

Backdoor

Country of Origin

Unknown

Date of initial activity

2024

Motivation

To scout out victim networks and deploy additional payloads

Attack vectors

Phishing emails

Overview

WARMCOOKIE is a newly discovered backdoor gaining popularity and being used in global campaigns. It serves as an initial tool to scout victim networks and deploy additional payloads. Despite its limited capabilities, WARMCOOKIE poses a significant threat, actively impacting organizations worldwide. Since late April 2024, researchers have observed new phishing campaigns using lures tied to recruiting firms. These emails target individuals by name and current employer, enticing them to pursue new job opportunities by clicking a link to an internal system to view a job description.

Targets

Individuals are targeted by their names and their current employer globally

How they operate

Initial Attack Victims receive phishing emails containing a link to an internal system to view a job description. Once clicked, users are directed to a landing page that looks legitimate and specifically targeted for them. They are prompted to download a document by solving a CAPTCHA challenge. These landing pages resemble previous campaigns documented by Google Cloud’s security team when discussing a new variant of URSNIF. Once the CAPTCHA is solved, an obfuscated JavaScript file is downloaded from the page. This obfuscated script runs PowerShell, initiating the first task to load WARMCOOKIE. The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download WARMCOOKIE and run the DLL with the Start export. WARMCOOKIE Deployment WARMCOOKIE is a Windows DLL used by the threat actor in two different stages. The first stage occurs right after the PowerShell download with the execution of WARMCOOKIE using the Start export.
Stage 1
Copies the downloaded DLL from a temporary directory with a random name, such as: wid4ta3v.3gm, and places a copy of the DLL at C:\ProgramData\RtlUpd\RtlUpd.dll. After the copy, the malware sets up persistence using COM with the Windows Task Scheduler to configure the DLL to run with the following parameters: shell “C:\WINDOWS\system32\rundll32.exe” “C:\ProgramData\RtlUpd\RtlUpd.dll”,Start /p With this design choice, WARMCOOKIE will run with System privileges from the Task Scheduler Engine. Persistence: A critical part of the infection chain comes from the scheduled task, which is set up at the very beginning of the infection. The task name (RtlUpd) is scheduled to run every 10 minutes every day.
Stage 2
The second stage is where the DLL is combined with the command line (Start /p) and contains the core functionality of WARMCOOKIE. The malware starts by looking for the DLL inside the temporary directory from the PowerShell download. Obfuscation and Anti-Analysis WARMCOOKIE protects its strings using a custom string decryption algorithm. The first four bytes of each encrypted string in the .rdata section represent the size, the next four bytes represent the RC4 key, and the remaining bytes represent the string. To prevent static analysis from identifying its core functionality, WARMCOOKIE uses dynamic API loading. There is no API hashing/resolving, and the targeted DLLs and sensitive strings are protected using encryption. The malware contains a few anti-analysis checks commonly used to target sandboxes. These are based on logic for checking the active number of CPU processors and physical/virtual memory values. Each WARMCOOKIE sample comes hard coded with a GUID-like string as a mutex. Below are some examples: f92e6f3c-9cc3-4be0-966c-1be421e69140 91f785f4-2fa4-4c85-954d-b96768ca76f2 Before the main functionality is executed, WARMCOOKIE uses an OR statement to verify the command-line arguments with /p return True or to check whether the scheduled task persistence needs to be created. Execution and Communication Before the backdoor makes its first outbound network request, it captures the following values to fingerprint and identify the victim machine: Volume serial number DNS domain of the victim machine Computer name Username The WARMCOOKIE C2 server likely leverages a CRC32 checksum function to verify content sent from the victim machine. Inside WARMCOOKIE itself is a checksum function that takes an input string, a length, and an initial seed value for the CRC32 function. At the beginning of the function, the seed value is negated, so at different times, the checksum function is called with different seeds. WARMCOOKIE samples communicate over HTTP with a hardcoded IP address. The family uses a combination of RC4 and Base64 to protect its network traffic. The RC4 key is embedded in each sample and has been observed to be reused across multiple samples. For example, the key used during this analysis is 24de21a8dc08434c. Bot Functionality WARMCOOKIE provides seven command handlers for threat actors to retrieve additional victim information, record screenshots, launch additional payloads, etc. The provided functionality is relatively straightforward, allowing threat groups that need a lightweight backdoor to monitor victims and deploy further damaging payloads such as ransomware.

Significant Malware Campaigns

  • Elastic Security Labs observed a wave of email campaigns in late April targeting environments by deploying a new backdoor we’re calling WARMCOOKIE based on data sent through the HTTP cookie parameter. (June 2024)
References:
  • Dipping into Danger: The WARMCOOKIE backdoor
Tags: BackdoorCAPTCHAJavascriptMalwareNetworksPowerShellWARMCOOKIEWindowsWorldwide
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial