Dipping into Danger: The WARMCOOKIE backdoor — Elastic Security Labs

MITRE Techniques

• [T1566.001] Phishing – Spearphishing Link – “Since late April 2024, our team has observed new phishing campaigns leveraging lures tied to recruiting firms.”
• [T1105] Ingress Tool Transfer – “The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download WARMCOOKIE and run the DLL with the Start export.”
• [T1059.001] PowerShell – “The obfuscated script runs PowerShell, kicking off the first task to load WARMCOOKIE.”
• [T1218.011] Rundll32 – “rundll32.exe $p, Start” (Start export) – Duke DLL execution via Rundll32.
• [T1053.005] Scheduled Task – “persistence using COM with the Windows Task Scheduler to configure the DLL to run” and “scheduled to run every 10 minutes every day.”
• [T1113] Screen Capture – “Record screenshots of victim machine” and subsequent use of GDI/GDIPLUS to generate the image.
• [T1082] System Information Discovery – “Stage 1 fingerprints the victim machines by collecting the IP address and CPU information.”
• [T1041] Exfiltration Over C2 Channel – “The POST requests when sending data back to the C2 server” and encrypted payloads.
• [T1071.001] Web Protocols – “communicate over HTTP with a hardcoded IP address” and protected network traffic using RC4/Base64.
• [T1027] Obfuscated/Compressed Files and Information – “The malware protects its strings using a custom string decryption algorithm.”