A Bad Day for A “WarmCookie”

While IT professionals across the world were hard at work to restore the outages caused by a bad CrowdStrike Update, threat actors wasted no time to seize the crisis. Malicious email campaigns commenced with what initially appeared to be a phishing attempt. They used the social engineering guise of a job offer. The sending domains and links varied and were likely compromised sites used to create distance from the actual infrastructure used by the attack.

Redirect URLs appear to have victim tracking strings:

[redirect domain]/mp1907/

?read=[redacted]
&t=[redacted]
&set*2Cort=[redacted]
&reference=[redacted]

When the link is clicked, users are redirected to the “application process” page:

https://michaelpage.com.page-executive.application-process[.]top/page-group/mp/mp.php

?reference=[redacted]
&read=[redacted]
&set%2A2Cort=[redacted]
&ID=[redacted]

The page displays a CAPTCHA and if the user confirms the code displayed, a ZIP file downloads:

https://ocean-drive.co[.]uk:443/ocean/job_offer_personal_profile.zip

The ZIP file contains a JS file attempting to masquerade as a PDF and begins downloading the files needed for infection:

http://176.113.115[.]177/x/z.png

z.png is actually a PowerShell script that downloads several other files:

http://176.113.115[.]177/0x.png
http://176.113.115[.]177/x/5.png
http://176.113.115[.]177/0x1.png
http://176.113.115[.]177/x/4.png

4.png contains the Base64 encoded strings for the executable and DLL responsible for backdoor/RAT capabilities. This infection is environmentally aware, and its behavior changes based on if the machine is domain joined or not.

Original Name: Xeno_manager.exe
Internal Name: xeno rat client.exe
Hash: 631713b09731f14b5397059d6358bb580525fbef98bfd2f16321b12677e14ce5

R22.dll
Hash: bfa8a549ba68882a4b0e80bfa8c04d90a37e45128e8ffe3e101f542f4dd9b089



Ref: Dipping into Danger: The WARMCOOKIE backdoor — Elastic Security Labs

Leave a Reply

Your email address will not be published. Required fields are marked *