Cybersecurity research has unveiled a new phishing campaign that is aimed at job seekers that deploys a new Windows backdoor which has been named WARMCOOKIE by the research team that discovered it at Elastic Security Labs.
Email Phishing Campaign Aimed at Job Seekers
Targeting recipients by their personal details, including their names and current employers, these emails enticed individuals to explore new job prospects by luring them to click on a link leading to an internal system where they could view a job description.
Upon clicking the link, users are directed to a landing page meticulously crafted to cater to their individual interests. Here, they are presented with a task of solving a CAPTCHA challenge in order to download a document.
After successfully completing the CAPTCHA, a disguised JavaScript file is obtained from the webpage. This deceptive script triggers PowerShell, initiating the process of loading the WARMCOOKIE backdoor.
The threat actors strategy involves utilizing compromised infrastructure to host the initial phishing URL, which serves as a conduit to direct victims to the tailored landing page. The malicious actors are constantly creating new domains and infrastructure on a weekly basis to bolster their ongoing campaigns.
Malware Abilities: Extract data, Screenshots and Additional Deployments
The backdoor is designed with the ability to extract data from the compromised host, conduct machine fingerprinting, take screenshots, and deploy additional malicious software.
Elastic Security Labs said "this malware represents a formidable threat that provides the capability to access target environments and push additional types of malware down to victims."
The research team states that whilst this malware may have fewer capabilities than other well-known designs, it should not be underestimated. Its active usage is causing significant impacts on organizations worldwide.
For further information on how to prevent and detect WARMCOOKIE Elastic Security Labs provide a series of resources including YARA rules to identify activity
