Elastic Security Labs reports continued active development and distribution of the WARMCOOKIE backdoor, including new handlers (PE, DLL, PowerShell, DLL Start export), a campaign ID field for clustering, and reuse of a distinctive SSL certificate linked to C2 infrastructure. Observed indicators include numerous C2 IPs/domains and multiple SHA-256 sample hashes; Elastic notes CASTLEBOT as a MaaS loader distributing WARMCOOKIE. #WARMCOOKIE #CASTLEBOT
Keypoints
- WARMCOOKIE remains actively developed and distributed, with ongoing infections and new infrastructure observed after initial reporting.
- Four new handlers were added in 2024 enabling PE execution, DLL execution, PowerShell script execution, and DLL execution via Start export.
- A campaign ID field is embedded in samples and is used to cluster builds and infer distribution methods (e.g., traffic2, bing variants, lod2lod).
- Operators receive variant builds with differing command handlers and functionality, possibly distinguished by embedded RC4 keys (example: RC4 key 83ddc084e21a244c tied to PowerShell capability).
- WARMCOOKIE uses a “string bank” of legitimate company names for folder paths and scheduled task names for defense evasion, chosen using srand seeded by GetTickCount.
- An SSL certificate (Issuer: Internet Widgits Pty Ltd; SHA1 e88727d4…, SHA256 8c55…) appears to be a default certificate reused across WARMCOOKIE C2 infrastructure, even though it is expired.
- Elastic published YARA rules and extracted numerous observables (multiple C2 IP addresses, a domain storsvc-win[.]com, and several SHA-256 hashes) to aid detection.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – WARMCOOKIE can execute PowerShell scripts by writing a PS1 to a temporary folder and invoking PowerShell.exe (“…it executes the temporary file directly or uses either rundll32.exe or PowerShell.exe.”)
- [T1055 ] Process Injection (DLL Execution) – The backdoor supports DLL execution and DLL execution with Start export by writing DLL content to a temp folder and using rundll32.exe or start export to run it (“…writing the file content (EXE / DLL / PS1) to a temporary file… then it executes the temporary file directly or uses either rundll32.exe or PowerShell.exe.”)
- [T1106 ] Native API – Use of GetTickCount as a seed for srand to randomly select entries from the string bank for folder/task names (“The malware uses GetTickCount as a seed for the srand function to randomly select a string from the string bank.”)
- [T1112 ] Modify Registry (Persistence via Scheduled Task alternative) – Creation of scheduled tasks with names and folder locations that mimic legitimate companies for persistence and evasion (“…scheduled task showing the task name and folder location” and use of string bank for scheduled task names.)
- [T1071 ] Application Layer Protocol (C2 over HTTPS) – Use of HTTPS C2 infrastructure and reuse of an SSL certificate for backend servers (“After extracting the infrastructure… one SSL certificate stands out… Fingerprint (SHA256) 8c5522c6…”)
Indicators of Compromise
- [IPv4 ] WARMCOOKIE C2 servers – 87.120.126.32, 85.208.84.220, and many others (full list includes ~40 IPs such as 109.120.137.42 and 195.82.147.3).
- [Domain ] WARMCOOKIE C2 domain – storsvc-win[.]com (listed as a WARMCOOKIE C2 Server).
- [SSL Certificate ] Default/reused certificate – Issuer: Internet Widgits Pty Ltd; SHA1 e88727d4f95f0a366c2b3b4a742950a14eff04a4; SHA256 8c5522c6f2ca22af8db14d404dbf5647a1eba13f2b0f73b0a06d8e304bd89cc0.
- [File Hashes – SHA-256 ] WARMCOOKIE sample hashes – c7bb97341d2f0b2a8cd327e688acb65eaefc1e01c61faaeba2bc1e4e5f0e6f6e, 9d143e0be6e08534bb84f6c478b95be26867bef2985b1fe55f45a378fc3ccf2b, and several others (and 6 more SHA-256 hashes).
- [Mutex/Config ] Embedded identifiers – campaign IDs (e.g., traffic2, lod2lod, capo, PrivateDLL) and RC4 keys (example RC4 key 83ddc084e21a244c used to cluster builds).
Read more: https://www.elastic.co/security-labs/revisiting-warmcookie