WARMCOOKIE (Backdoor) – Malware

Overview

WARMCOOKIE is a newly discovered backdoor gaining popularity and being used in global campaigns. It serves as an initial tool to scout victim networks and deploy additional payloads. Despite its limited capabilities, WARMCOOKIE poses a significant threat, actively impacting organizations worldwide.

Since late April 2024, researchers have observed new phishing campaigns using lures tied to recruiting firms. These emails target individuals by name and current employer, enticing them to pursue new job opportunities by clicking a link to an internal system to view a job description.

Targets

Individuals are targeted by their names and their current employer globally

How they operate

Initial Attack

Victims receive phishing emails containing a link to an internal system to view a job description. Once clicked, users are directed to a landing page that looks legitimate and specifically targeted for them. They are prompted to download a document by solving a CAPTCHA challenge. These landing pages resemble previous campaigns documented by Google Cloud’s security team when discussing a new variant of URSNIF.

Once the CAPTCHA is solved, an obfuscated JavaScript file is downloaded from the page. This obfuscated script runs PowerShell, initiating the first task to load WARMCOOKIE. The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download WARMCOOKIE and run the DLL with the Start export.

WARMCOOKIE Deployment

WARMCOOKIE is a Windows DLL used by the threat actor in two different stages. The first stage occurs right after the PowerShell download with the execution of WARMCOOKIE using the Start export.

Stage 1

Copies the downloaded DLL from a temporary directory with a random name, such as: wid4ta3v.3gm, and places a copy of the DLL at C:\ProgramData\RtlUpd\RtlUpd.dll. After the copy, the malware sets up persistence using COM with the Windows Task Scheduler to configure the DLL to run with the following parameters:

shell

“C:\WINDOWS\system32\rundll32.exe” “C:\ProgramData\RtlUpd\RtlUpd.dll”,Start /p

With this design choice, WARMCOOKIE will run with System privileges from the Task Scheduler Engine.
Persistence: A critical part of the infection chain comes from the scheduled task, which is set up at the very beginning of the infection. The task name (RtlUpd) is scheduled to run every 10 minutes every day.

Stage 2

The second stage is where the DLL is combined with the command line (Start /p) and contains the core functionality of WARMCOOKIE. The malware starts by looking for the DLL inside the temporary directory from the PowerShell download.
Obfuscation and Anti-Analysis

WARMCOOKIE protects its strings using a custom string decryption algorithm. The first four bytes of each encrypted string in the .rdata section represent the size, the next four bytes represent the RC4 key, and the remaining bytes represent the string. To prevent static analysis from identifying its core functionality, WARMCOOKIE uses dynamic API loading. There is no API hashing/resolving, and the targeted DLLs and sensitive strings are protected using encryption.

The malware contains a few anti-analysis checks commonly used to target sandboxes. These are based on logic for checking the active number of CPU processors and physical/virtual memory values. Each WARMCOOKIE sample comes hard coded with a GUID-like string as a mutex. Below are some examples:

f92e6f3c-9cc3-4be0-966c-1be421e69140
91f785f4-2fa4-4c85-954d-b96768ca76f2
Before the main functionality is executed, WARMCOOKIE uses an OR statement to verify the command-line arguments with /p return True or to check whether the scheduled task persistence needs to be created.

Execution and Communication

Before the backdoor makes its first outbound network request, it captures the following values to fingerprint and identify the victim machine:

Volume serial number

DNS domain of the victim machine

Computer name

Username

The WARMCOOKIE C2 server likely leverages a CRC32 checksum function to verify content sent from the victim machine. Inside WARMCOOKIE itself is a checksum function that takes an input string, a length, and an initial seed value for the CRC32 function. At the beginning of the function, the seed value is negated, so at different times, the checksum function is called with different seeds.

WARMCOOKIE samples communicate over HTTP with a hardcoded IP address. The family uses a combination of RC4 and Base64 to protect its network traffic. The RC4 key is embedded in each sample and has been observed to be reused across multiple samples. For example, the key used during this analysis is 24de21a8dc08434c.

Bot Functionality

WARMCOOKIE provides seven command handlers for threat actors to retrieve additional victim information, record screenshots, launch additional payloads, etc. The provided functionality is relatively straightforward, allowing threat groups that need a lightweight backdoor to monitor victims and deploy further damaging payloads such as ransomware.

Significant Malware Campaigns

• Elastic Security Labs observed a wave of email campaigns in late April targeting environments by deploying a new backdoor we’re calling WARMCOOKIE based on data sent through the HTTP cookie parameter. (June 2024)

References:

• Dipping into Danger: The WARMCOOKIE backdoor