New ‘Warmcookie’ Windows Backdoor Spreads via Fake Job Offers

A new Windows malware named ‘Warmcookie’ is being distributed through fake job offer phishing campaigns, targeting corporate networks. Researcher discovered this threat, noting its capabilities for extensive machine fingerprinting, screenshot capturing, and deploying additional payloads.

The ongoing campaign sees threat actors creating new domains weekly to support their operations, using compromised infrastructure to send phishing emails. These emails, masquerading as job offers, use attention-grabbing subjects and personalization, including the recipient’s name and current employer, to lure victims.

Victims are directed to a fake internal recruitment platform via a link in the email, which redirects to a page mimicking legitimate platforms. To enhance credibility, these pages prompt users to solve a CAPTCHA before downloading a heavily obfuscated JavaScript file, typically named something like ‘Update_23_04_2024_5689382’.

When executed, the JavaScript file runs a PowerShell script that uses the Background Intelligent Transfer Service (BITS) to download the Warmcookie DLL file from a specified URL, executing it via rundll32.exe. The Warmcookie payload is then copied to C:\ProgramData\RtlUpd\RtlUpd.dll, and a scheduled task named ‘RtlUpd’ is created to run every 10 minutes.

Upon execution, Warmcookie establishes communication with its command and control (C2) server and begins fingerprinting the victim’s machine. Initially, it collects key information such as volume serial number, DNS domain, computer name, and username, encrypting and sending this data to the C2 via the HTTP cookie parameter.

Warmcookie’s main capabilities include:
– Retrieving victim information like IP address and CPU details
– Capturing screenshots using Windows native tools
– Enumerating installed programs via the registry
– Executing arbitrary commands using ‘cmd.exe’ and sending output to the C2
– Dropping files in specified directories
– Reading contents of specified files and sending them to the C2

Warmcookie is designed to evade analysis environments by refusing to run if the number of CPU processors and physical/virtual memory values fall below certain thresholds.

Preventing Warmcookie infections involves a multi-layered approach, starting with educating employees about the dangers of phishing emails and the importance of verifying job offers. Regularly updating antivirus software and employing endpoint detection and response (EDR) tools can help identify and mitigate malware threats.