Cybersecurity researchers have disclosed details of an ongoing phishing campaign that leverages recruiting- and job-themed lures to deliver a Windows-based backdoor named WARMCOOKIE. WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional payloads.
The backdoor comes with capabilities to fingerprint infected machines, capture screenshots, and drop more malicious programs. The company is tracking the activity under the name REF6127. The attack chains observed since late April involve the use of email messages purporting to be from recruitment firms like Hays, Michael Page, and PageGroup, urging recipients to click on an embedded link to view details about a job opportunity.
Users who end up clicking on the link are then prompted to download a document by solving a CAPTCHA challenge, following which a JavaScript file (“Update_23_04_2024_5689382.js”) is dropped. A crucial component of the campaign is the use of compromised infrastructure to host the initial phishing URL, which is then used to redirect victims to the appropriate landing page. The backdoor is designed to capture information about the infected host in a manner that’s similar to an artifact used in connection with a previous campaign codenamed Resident that targeted manufacturing, commercial, and healthcare organisations.
While this attack does not utilize automated installation of malware, it does require users to engage with various prompts and clicks. However, this technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments.
