Dipping into Danger: The WARMCOOKIE backdoor

June 12, 2024, 11:04 a.m.

Description

Elastic Security Labs identified a new wave of email campaigns targeting environments by deploying a novel backdoor dubbed WARMCOOKIE, which communicates via HTTP cookie parameters. The malware is an initial tool used to scout victim networks and deploy additional payloads, with hard-coded command and control servers and encryption keys. It can fingerprint machines, capture screenshots, execute commands, and manage files, while employing obfuscation, anti-debugging, and integrity checks. The threat actors rapidly generate new infrastructure to support these recruiting-themed phishing campaigns, which represent a formidable threat actively impacting organizations globally.

External References

https://www.elastic.co/security-labs/dipping-into-danger
https://otx.alienvault.com/pulse/66697b567afd6e8a924fa54f
Tags
malware
backdoor
obfuscation
phishing
campaigns
2024-06-12
warmcookie

Date

  • Created: June 12, 2024, 10:41 a.m.
  • Published: June 12, 2024, 10:41 a.m.
  • Modified: June 12, 2024, 11:04 a.m.

Indicators

  • ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13
  • 80.66.88.146
  • 45.9.74.135
  • 185.49.69.41
  • assets.work-for.top
  • omeindia.com
Download all indicators here!

Attack Patterns

  • WARMCOOKIE