Virus descriptions, 24.10.2024, 12:00 PM
Cyber security researchers from the company Cisco Talos have warned of a new malware called WarmCookie, also known as BadSpace, which has been spreading since April 2024.
According to a Cisco Talos blog post, the malware on infected systems allows infections with other malware such as CSharp-Streamer-RAT and Cobalt Strike.
WarmCookie campaigns use different subject lines, such as job offers or invoices, to entice victims to click on links or open email attachments and thus initiate the infection process.
WarmCookie offers a range of functionality, including command execution, screen recording and the installation of additional malware, making it a valuable tool for maintaining long-term control over compromised systems.
The analysis also links WarmCookie to the group TA866, which has been active since 2023. WarmCookie has similarities to the Resident backdoor, which was previously used in attacks by the group TA866. The researchers noted an overlap in core functionality and code, indicating that the two malware are likely the work of the same developers.
“While there is significant overlap in code and functionality implementations in the Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to the Resident backdoor,” Cisco Talos said.
Another difference is that WarmCookie is usually used to provide initial access, while the Resident backdoor is installed after installing several other components such as WasabiSeed, Screenshotter and AHK Bot.
The WarmCookie infection chain usually starts with JavaScript malicious downloads delivered either via malspam or via advertisements. These scripts download WarmCookie, allowing attackers to maintain access in a compromised environment.
The latest samples observed by Cisco Talos show that WarmCookie is constantly evolving, with updates to its persistence mechanism, command structure, and sandbox detection capabilities.
Researchers expect WarmCookie to continue to evolve, and its connection to TA866 and similarities to the Resident backdoor point to a continuing effort to create sophisticated tools for long-term cyberespionage and exploitation.
Photo: wutthichai charoenburi | Pexels
Source: www.informacija.rs
