New Phishing Campaign Deploys WARMCOOKIE Backdoor Targeting Job Seekers


Cybersecurity researchers have exposed details of an ongoing phishing campaign employing recruitment and job-related themes to distribute a Windows-based backdoor known as WARMCOOKIE.

According to Elastic Security Labs researcher Daniel Stepanic, WARMCOOKIE serves as an initial backdoor tool utilized to probe victim networks and deploy additional malicious payloads. Each instance of WARMCOOKIE includes a hardcoded command-and-control (C2) IP address and RC4 encryption key.

The backdoor is equipped with functionalities to identify infected machines, capture screenshots, and deliver additional malware. Elastic Security Labs has identified this activity under the designation REF6127.

Since late April, the observed attack chains have featured email messages posing as communications from recruitment agencies such as Hays, Michael Page, and PageGroup. These emails urge recipients to click on an embedded link to view job details.

Upon clicking the link, users are directed to download a document after completing a CAPTCHA challenge. Subsequently, a JavaScript file (“Update_23_04_2024_5689382.js”) is deployed.

“This obfuscated script executes PowerShell, initiating the process to load WARMCOOKIE,” explained Elastic. “The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download WARMCOOKIE.”

Central to the campaign is the use of compromised infrastructure to host the initial phishing URL, redirecting victims to the designated landing page.

WARMCOOKIE, a Windows DLL, follows a two-step approach to establish persistence via a scheduled task and initiate core functionalities, preceded by anti-analysis checks to evade detection.

The backdoor is designed to gather information from the infected host, resembling tactics previously used in a campaign called Resident, which targeted manufacturing, commercial, and healthcare sectors. It includes commands to manipulate files, execute commands via cmd.exe, retrieve a list of installed applications, and capture screenshots.

“WARMCOOKIE is a newly identified backdoor gaining traction in campaigns targeting global users,” Elastic noted.

Meanwhile, Trustwave SpiderLabs disclosed a sophisticated phishing campaign that employs invoice-themed lures, leveraging the Windows search functionality embedded in HTML code to distribute malware.

“The functionality provided is relatively straightforward, enabling threat groups needing a lightweight backdoor for monitoring victims and deploying more harmful payloads such as ransomware.”

Emails in this campaign contain a ZIP archive with an HTML file utilizing the legacy Windows “search:” URI protocol handler to display a Shortcut (LNK) file hosted on a remote server in Windows Explorer, falsely appearing as a local search result.

“This LNK file points to a batch script (BAT) hosted on the same server, potentially triggering additional malicious operations upon user interaction,” Trustwave explained, though retrieval was hindered by server unresponsiveness.

It’s noteworthy that the exploitation of search-ms: and search: as vectors for malware distribution was documented by Trellix in July 2023.

“While this attack does not employ automated malware installation, it relies on user interaction with various prompts and clicks,” Trustwave clarified. “This method cleverly conceals the attacker’s true agenda, exploiting users’ trust in familiar interfaces and routine actions such as opening email attachments.”