WarmCookie malware now comes with fake browser updates

I’ve never heard of WarmCookie, but this definitely seems like its something we do not want.

As part of NCSAM, we want to let you know about this because all kinds of things can come with Malware whether it is a fake browser update, an email saying that there is something wrong with something like a charge or your bank, or anything else they want to say is wrong.

The biggest paragraph says:

When users click on update prompts designed to appear legitimate, a fake update is downloaded that drops a malicious payload, like info-stealers, cryptocurrency drainers, RATs, and even ransomware.

Usually it just contained everything except ransomware, but now we can add that to what you can get.

WarmCookie, first discovered by eSentire in mid-2023, is a Windows backdoor recently seen distributed in phishing campaigns using fake job offers as lures.

Its broad capabilities include data and file theft, device profiling, program enumeration (via the Windows Registry), arbitrary command execution (via CMD), screenshot capturing, and the ability to introduce additional payloads on the infected system.

The fact it introduces other problems like payloads is nothing new, but this malware has also been updated, according to research.

In the latest campaign spotted by Gen Threat Labs, the WarmCookie backdoor has been updated with new features, including running DLLs from the temp folder and sending back the output, as well as the ability to transfer and execute EXE and PowerShell files.

The lure used to trigger the infection is a fake browser update, which is common for FakeUpdate attacks. However, Gen Digital also found a site where a fake Java update was promoted in this campaign.

Fake browser and Java update prompts

When the fake software update is executed, the malware performs some anti-VM checks to ensure it’s not running on an analyst’s environment and sends the newly infected system’s fingerprint to the command and control (C2) server, awaiting instructions.

The research indicates that fake websites could be used, they mainly use compromised web pages. Compromised web sites seem to fit my definition of the sophistocation attacks.

Remember that your modern browser will install updates upon shutdown and restart, not by popping up something to tell you that there’s an update you’ve got to get.

To read more: please read the article titled Fake browser updates spread updated WarmCookie malware which goes in to more detail on what’s going on here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.