Date: 07/05/2024
Severity: High
Summary
Elastic Security Labs recently detected a series of email campaigns in late April deploying a new backdoor dubbed WARMCOOKIE, exploiting HTTP cookies for data transmission. Analysis revealed similarities between WARMCOOKIE and a previously identified sample (resident2.exe) reported by eSentire, suggesting the latter as an earlier or modified version. WARMCOOKIE, used frequently in themed emails like job offers, serves as an initial reconnaissance tool and payload delivery mechanism, each instance featuring a hardcoded C2 IP address and RC4 key.
Indicators of Compromise (IOC) List
URL/Domain | omeindia.com assets.work-for.top |
IP Address | 45.9.74.135 80.66.88.146 185.49.69.41 |
Hash |
ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
URL/Domain | userdomainname IN (“omeindia.com”) or url IN (“omeindia.com”) userdomainname IN (“assets.work-for.top”) or url IN (“assets.work-for.top”) |
IP Address | dstipaddress IN (“45.9.74.135”) or ipaddress IN (“45.9.74.135”) or publicipaddress IN (“45.9.74.135”) or srcipaddress IN (“45.9.74.135”) dstipaddress IN (“80.66.88.146”) or ipaddress IN (“80.66.88.146”) or publicipaddress IN (“80.66.88.146”) or srcipaddress IN (“80.66.88.146”) dstipaddress IN (“185.49.69.41”) or ipaddress IN (“185.49.69.41”) or publicipaddress IN (“185.49.69.41”) or srcipaddress IN (“185.49.69.41”) |
Hash |
sha256hash IN (“ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13”) |
Reference:
https://www.mphasis.com/content/dam/mphasis-com/global/en/home/services/cybersecurity/june-12-10-new-warmcookie-windows-backdoor-pushed-via-fake-job-offers.pdf
https://www.bleepingcomputer.com/news/security/new-warmcookie-windows-backdoor-pushed-via-fakejob-offers/