The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. FakeUpdate is a cyberattack strategy used by a threat group known as 'SocGolish' who compromises or creates fake websites to show visitors fake update prompts for a variety of applications, such as web browsers, Java, VMware Workstation, WebEx, and Proton VPN. A new 'FakeUpdate' campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie backdoor. When the fake software update is executed, the malware performs some anti-VM checks to ensure it's not running on an analyst's environment and sends the newly infected system's fingerprint to the command and control (C2) server, awaiting instructions. The infection chain starts with the user clicking on a fake browser update notice, which triggers JavaScript that fetches the WarmCookie installer and prompts the user to save the file. When users click on update prompts designed to appear legitimate, a fake update is downloaded that drops a malicious payload, like info-stealers, cryptocurrency drainers, RATs, and even ransomware. In the latest campaign spotted by Gen Threat Labs, the WarmCookie backdoor has been updated with new features, including running DLLs from the temp folder and sending back the output, as well as the ability to transfer and execute EXE and PowerShell files. Although Gen Threat Labs says the attackers use compromised websites in this campaign, some of the domains shared in the IoC section, like "edgeupdate[.]com" and "mozilaupgrade[.]com," seem specifically selected to match the 'FakeUpdate' theme. WarmCookie, first discovered by eSentire in mid-2023, is a Windows backdoor recently seen distributed in phishing campaigns using fake job offers as lures. Its broad capabilities include data and file theft, device profiling, program enumeration (via the Windows Registry), arbitrary command execution (via CMD), screenshot capturing, and the ability to introduce additional payloads on the infected system. The lure used to trigger the infection is a fake browser update, which is common for FakeUpdate attacks. However, Gen Digital also found a site where a fake Java update was promoted in this campaign. A program restart may be needed for an update to be applied to the browser, but manually downloading and executing updater packages is never a part of an actual update process and should be seen as a sign of danger.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 02 Oct 2024 18:25:22 +0000