These aren’t your grandmother’s ‘warm cookies’

A threat actor known as SocGholish has been observed targeting users in France with fake browser updates that install an updated version of the WarmCookie backdoor.

The attack chain involves SocGholish compromising legitimate websites or configuring its own so that when visitors arrive on the site, a prompt is displayed that tells them their browser is out of date and must be updated. When users click on the prompt, a fake update is downloaded that drops the WarmCookie backdoor. Once executed, WarmCookie first checks to ensure it isn’t running on a virtual machine then conducts a profile of the infected systems and sends the results to command and control infrastructure.

Researchers have observed update prompts designed to mimic many of the most popular browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge as well as prompts asking the user to update Java.

Image 1: Fake update prompt for Microsoft Edge

WarmCookie is capable of various functions, including data exfiltration, system profiling, command execution, screenshot capturing, and installing further malware on the system. The new variant observed being deployed during this campaign can also transfer and execute executable PowerShell files, as well as run DLLs in temporary folders and send back the output.

Source: Bleeping Computer

Analysis

SocGholish has been observed conducting drive-by fake update campaigns, also known as watering hole attacks, as early as 2018, so this activity is nothing new. However, the additional capabilities of the updated WarmCookie backdoor increase its threat, as the backdoor can now operate without being detected by anti-virus applications.

It’s likely that SocGholish serves as an initial access broker. Essentially, the group gains initial access and profiles the system. That information is then marketed to cybercriminals, often on the dark web, who can then purchase the access from SocGholish and go on to deploy ransomware or exfiltrate data from the infected system.

Given the success SocGholish achieves using this particular attack vector, it’s unlikely to change its tactics anytime soon. Thus, it’s important that organizations train their employees to be aware of this type of cyberattack and not fall for it.

Mitigation

Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for emerging threats such as SocGholish’s use of the WarmCookie backdoor. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.

Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

It’s important to remember that browsers automatically check if an update is available and display that information within the browser’s toolbar, or settings window, but never in the body of a website that has been visited. Any unsolicited update prompt coming from a website should be considered suspicious and dismissed or reported to the website administrator.

Related Articles

• Another Chrome zero-day exploited in the wild, patch now
• Google and Mozilla patch browser zero-day vulnerabilities