Threat Research

WarmCookie Infrastructure Update: Discovering New C2 Servers and Emerging Threats

Securonix

Gen Threat Labs warns of a new wave of the FakeUpdate campaign delivering the WarmCookie backdoor via compromised websites. An updated WarmCookie infrastructure has been identified, including a C2 IP and multiple linked hosts with shared SSH keys, plus a DarkGate C2 server observed in the same ecosystem. #WarmCookie #FakeUpdate #DarkGate #GenThreatLabs #ThreatFox #VirusTotal

Keypoints

  • Gen Threat Labs flags a new FakeUpdate campaign delivering the WarmCookie backdoor.
  • The WarmCookie backdoor has been updated with additional capabilities.
  • Indicator of compromise includes the C2 IP 38.180.91[.]117 (hosted in the Scalaxy B.V. ASN) and four open ports (22, 443, 3389, 8080).
  • Six additional servers share certificate/HTTP response characteristics with the initial IP, expanding the WarmCookie infrastructure.
  • Shared SSH keys (fingerprint: 888f05c2856ad60c5ab1e9826b57b87ae697d16303304959930f4b7e149458ac) link multiple hosts, suggesting a connected network.
  • One linked IP, 91.222.173[.]140, is flagged as a DarkGate C2 server with Notepad++.exe and upd_1602649.msix communicating.
  • Public sources like VirusTotal and ThreatFox corroborate findings, and monitoring is advised due to the evolving threat.

MITRE Techniques

  • [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘Utilization of compromised websites to deliver malware’ …’Use of specific IP addresses for command and control communication…’)
  • [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘Shared SSH keys among multiple servers indicating potential credential reuse.’)
  • [T1210] Exploitation of Remote Services – Brief description of how it was used. Quote relevant content using bracket (‘Open ports (22, 443, 3389, 8080) on the C2 server suggest exploitation of remote services.’)

Indicators of Compromise

  • [IP Address] C2 infrastructure – 38.180.91[.]117 (US; Cogent Communications); 91.222.173[.]140 (DarkGate C2 context)
  • [Domain] Domains linked to SSH-key sharing network – adbs.info.tntseminars[.]com, mx1.info.ukshowroom[.]com
  • [File Name] Observed artifacts – Notepad++.exe, upd_1602649.msix (noted as communicating with a DarkGate C2 IP)

Read more: https://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint