An ongoing fake Google Chrome update effort targeting France has been noticed, which spreads WarmCookie malware via compromised websites. WarmCookie is a Windows malware that is used to obtain system access through phishing operations.
It is a two-stage backdoor intended to spread more payloads and examine target networks. It most commonly spreads through phishing efforts that impersonate job offers.
Warm cookies can be used as fingerprint machines, take screenshots, exfiltrate stolen data, read and write files, and interact with a command and control (C&C) server to get commands.
Overview Of The Fake Update Campaign
Gen Threat Labs claims that WarmCookie has also been updated.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The latest version supports the following commands:
- Get CPU identification and memory size
- Take screenshots
- Enum programs via Uninstall reg key
- cmd execution via cmd.exe /c and send back results via POST
- Write the file to the victim
- Read the file and send it back
- Write DLL to %TEMP% and run it via rundll32.exe and send back the output
- Same as 8, but starts it with “Start /update” arguments
- Copies itself to %TEMP%
WarmCookie malware is downloaded when a user clicks on the FakeUpdate-infected webpage. Once installed, it contacts C&C for further operations, takes a screenshot, executes the command, and steals data from the disk.
In June, Elastic Security Labs released a report on a phishing effort that uses lures related to jobs and recruitment to spread WarmCookie malware.
Since the end of April, attack chains have been noticed, and email messages from employment agencies such as Hays, Michael Page, and PageGroup have been used to persuade recipients to click on an embedded link to access information about a job opportunity.
Hence, by taking proactive actions to check the credibility of updates and adopting robust safety solutions, users may considerably decrease the chance of falling prey to such sophisticated attacks.
IoCs:
- updatechrllom[.]com
- javadevssdk[.]commozilaupgrade[.]com
- edgeupgrade[.]comelrifeno[.]com
- /temp/Install_x64[.]exe
- 44faed020d5d8b29918a3f02d757b2cfada675
- 74cf9e02748ea7f75ba5878907
- 38[.]180[.]91[.]117
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar