Threat Research

Disarming the WarmCookie Backdoor: An Oven-Ready Solution

DarkTrace

WarmCookie, aka BadSpace, is a two-stage backdoor that enables threat actors to collect system information and deploy additional payloads, often spread via phishing campaigns impersonating recruitment firms like PageGroup, Michael Page, and Hays. Darktrace observed multiple incidents in 2024 showing unusual file downloads, HTTP beaconing to a German-based external IP, and BITS abuse, underscoring the value of behavioral analysis and proactive containment. #WarmCookie #BadSpace #PageGroup #MichaelPage #Hays

Keypoints

  • WarmCookie is a two-stage backdoor tool used to retrieve victim information and launch additional payloads.
  • Primary distribution is via phishing campaigns impersonating recruitment firms (e.g., PageGroup, Michael Page, Hays).
  • The malware uses evasion techniques like custom string decryption and dynamic API loading to avoid detection.
  • Initial infection includes fingerprinting data such as computer name, username, DNS domain, and volume serial number.
  • Communications rely on HTTP with a hardcoded external IP (185.49.69[.]41) and URIs like /data/2849d40ade47af8edfd4e08352dd2cc8; beaconing follows downloads.
  • Darktrace detected multiple model alerts (BITS activity, masqueraded file transfer, anomalous HTTP beaconing) and recommended containment actions.
  • Containment guidance included blocking the external IP and enforcing a pattern of life to restrict deviations in device behavior.

MITRE Techniques

  • [T1189] Drive-by Compromise – Phishing campaigns lure victims into downloading malicious payloads. “Reported attack patterns include emails attempting to impersonate recruitment firms such as PageGroup, Michael Page, and Hays. These emails likely represented social engineering tactics…”
  • [T1105] Ingress Tool Transfer – Downloads the WarmCookie backdoor tool onto the victim’s system. “The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download WarmCookie and run the DLL with the Start export”
  • [T1588.001] Malware – WarmCookie backdoor development and deployment for malicious purposes. “WarmCookie, also known as BadSpace, is a two-stage backdoor tool…”
  • [T1570] Lateral Tool Transfer – Transfers the backdoor across different systems within a network. “Facilitates the transfer of the backdoor tool across different systems within a network.”
  • [T1071.001] Web Protocols – Communicates with C2 servers over HTTP. “Web Protocols … (T1071.001)”
  • [T1583.006] Web Services – Uses web services for distribution and control of the backdoor. “Utilizes web services for the distribution and control of the backdoor.”
  • [T1176] Browser Extensions – May leverage browser vulnerabilities or extensions to facilitate initial access. “Browser Extensions – PERSISTENCE – T1176”
  • [T1071] Application Layer Protocol – Uses application layer protocols for C2 communications. “Application Layer Protocol – COMMAND AND CONTROL”
  • [T1008] Fallback Channels – Maintains communication via fallback mechanisms if primary channels fail. “Fallback Channels – COMMAND AND CONTROL – T1008”
  • [T1104] Multi-Stage Channels – Operates in multiple stages to evade detection. “Two-stage backdoor malware … two distinct phases”
  • [T1571] Non-Standard Port – Uses non-standard ports for C2 to avoid detection. “Non-Standard Port – COMMAND AND CONTROL – T1571”
  • [T1102.003] One-Way Communication – One-way channels to exfiltrate data. “One-Way Communication – COMMAND AND CONTROL – T1102.003”
  • [T1573] Encrypted Channel – Encrypts communications to evade detection. “Encrypted Channel – COMMAND AND CONTROL – T1573”
  • [T1090.002] External Proxy – Uses external proxies to obfuscate C2 communications. “External Proxy – COMMAND AND CONTROL – T1090.002”
  • [T1095] Non-Application Layer Protocol – Uses non-application layer protocols for stealthy communications. “Non-Application Layer Protocol – COMMAND AND CONTROL – T1095”

Indicators of Compromise

  • [IP Address] context – 185.49.69[.]41, WarmCookie C2 Endpoint
  • [URI] context – /data/2849d40ade47af8edfd4e08352dd2cc8, /data/b834116823f01aeceed215e592dfcba7
  • [SHA1 Hash] context – 4ddf0d9c750bfeaebdacc14152319e21305443ff, 5b0a35c574ee40c4bccb9b0b942f9a9084216816
  • [MD5 Hash] context – b09beb0b584deee198ecd66976e96237, aa9a73083184e1309431b3c7a3e44427

Read more: https://darktrace.com/blog/disarming-the-warmcookie-backdoor-darktraces-oven-ready-solution

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint