New Phishing Campaign Deploys WARMCOOKIE Backdoor Targeting Job Seekers

Cyber Security

Products You May Like

Jun 12, 2024NewsroomCyber Attack / Malware

Cybersecurity researchers have disclosed details of an ongoing phishing campaign that leverages recruiting- and job-themed lures to deliver a Windows-based backdoor named WARMCOOKIE.

“WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional payloads,” Elastic Security Labs researcher Daniel Stepanic said in a new analysis. “Each sample is compiled with a hard-coded [command-and-control] IP address and RC4 key.”

The backdoor comes with capabilities to fingerprint infected machines, capture screenshots, and drop more malicious programs. The company is tracking the activity under the name REF6127.

The attack chains observed since late April involve the use of email messages purporting to be from recruitment firms like Hays, Michael Page, and PageGroup, urging recipients to click on an embedded link to view details about a job opportunity.


Users who end up clicking on the link are then prompted to download a document by solving a CAPTCHA challenge, following which a JavaScript file (“Update_23_04_2024_5689382.js”) is dropped.

“This obfuscated script runs PowerShell, kicking off the first task to load WARMCOOKIE,” Elastic said. “The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download WARMCOOKIE.”

A crucial component of the campaign is the use of compromised infrastructure to host the initial phishing URL, which is then used to redirect victims to the appropriate landing page.

A Windows DLL, WARMCOOKIE follows a two-step process that allows for establishing persistence using a scheduled task and launching the core functionality, but not before performing a series of anti-analysis checks to sidestep detection.

The backdoor is designed to capture information about the infected host in a manner that’s similar to an artifact used in connection with a previous campaign codenamed Resident that targeted manufacturing, commercial, and healthcare organizations.


It also supports commands to read from and write to files, execute commands using cmd.exe, fetch the list of installed applications, and grab screenshots.

“WARMCOOKIE is a newly discovered backdoor that is gaining popularity and is being used in campaigns targeting users across the globe,” Elastic said.

The disclosure comes as Trustwave SpiderLabs detailed a sophisticated phishing campaign that employs invoice-related decoys and takes advantage of the Windows search functionality embedded in HTML code to deploy malware.

“The provided functionality is relatively straightforward, allowing threat groups that need a lightweight backdoor to monitor victims and deploy further damaging payloads such as ransomware.”


The email messages bear a ZIP archive containing an HTML file, which uses the legacy Windows “search:” URI protocol handler to display a Shortcut (LNK) file hosted on a remote server in the Windows Explorer, giving the impression it’s a local search result.

“This LNK file points to a batch script (BAT) hosted on the same server, which, upon user click, could potentially trigger additional malicious operations,” Trustwave said, adding it could not retrieve the batch script due to the server being unresponsive.

It’s worth noting that the abuse of search-ms: and search: as a malware distribution vector was documented by Trellix in July 2023.

“While this attack does not utilize automated installation of malware, it does require users to engage with various prompts and clicks,” the company said. “However, this technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

iPhone 16 Shipments in 2024 Not Expected to See Increase Despite Claims, Suggests Analyst
X Said to Be Developing Feature That Lets Users Disable Links in Post Replies
Faulty CrowdStrike Update Crashes Windows Systems, Impacting Businesses Worldwide
Amazon Prime Day 2024 Sale Goes Live: Best Offers on Smartphones, Electronics
WhatsApp Reportedly Developing Feature for Web Client That Lets Users Pick Usernames

Leave a Reply

Your email address will not be published. Required fields are marked *