Fake browser updates spread updated WarmCookie malware
A new 'FakeUpdate' campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie backdoor.FakeUpdate is a cyberattack strategy used by a threat group known as 'SocGolish' who compromises or creates fake websites to show visitors fake update prompts for a variety of applications, such as web browsers, Java, VMware Workstation, WebEx, and Proton VPN. When users click on update prompts designed to appear legitimate, a fake update is downloaded that drops a malicious payload, like info-stealers, cryptocurrency drainers, RATs, and even ransomware.
The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates.WarmCookie, first discovered by eSentire in mid-2023, is a Windows backdoor recently seen distributed in phishing campaigns using fake job offers as lures.
Its broad capabilities include data and file theft, device profiling, program enumeration (via the Windows Registry), arbitrary command execution (via CMD), screenshot capturing, and the ability to introduce additional payloads on the infected system.
In the latest campaign spotted by Gen Threat Labs, the WarmCookie backdoor has been updated with new features, including running DLLs from the temp folder and sending back the output, as well as the ability to transfer and execute EXE and PowerShell files.
The lure used to trigger the infection is a fake browser update, which is common for FakeUpdate attacks. However, Gen Digital also found a site where a fake Java update was promoted in this campaign.
The infection chain starts with the user clicking on a fake browser update notice, which triggers JavaScript that fetches the WarmCookie installer and prompts the user to save the file.
When the fake software update is executed, the malware performs some anti-VM checks to ensure it's not running on an
analyst's environment and sends the newly infected system's fingerprint to the command and control (C2) server,
awaiting instructions.
Although Gen Threat Labs says the attackers use compromised websites in this campaign, some of the domains shared in the IoC section, like "edgeupdate.com" and"mozilaupgrade.com," seem specifically selected to match the 'FakeUpdate' theme.
Remember, Chrome, Brave, Edge, Firefox, and all modern browsers are automatically updated when new updates
become available.A program restart may be needed for an update to be applied to the browser, but manually
downloading and executing updater packages is never a part of an actual update process and should be seen as
a sign of danger.In many cases, FakeUpdates compromise legitimate and otherwise trustworthy websites,
so these pop-ups should be treated with caution even when you're on a familiar platform.
Leave Fake browser updates spread updated WarmCookie malware to:
Read more #hive-167922 posts
Best Posts From vsemmetall
We have not curated any of vsemmetall's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.
More Posts From vsemmetall
- Posh Token Claims
- Phishing emails increasingly use SVG attachments to evade detection
- New Android Malware SpyAgent Taking Screenshots Of User’s Devices
- Silk Road Founder Trusts Trump To 'Honor His Pledge' For Commutation
- The greatest mystery in cryptocurrency: the true identity of the inventor of Bitcoin
- ProKYC to bypass two-factor authentication on cryptocurrency exchanges
- Economists Advocate for Ethereum’s Vitalik Buterin as a Potential Nobel Laureate
- Economists Advocate for Ethereum’s Vitalik Buterin as a Potential Nobel Laureate
- Fake browser updates spread updated WarmCookie malware
- Paraguay Shuts Down 2,700 Illegal Bitcoin Miners in Largest Operation Yet
- Paraguay Shuts Down 2,700 Illegal Bitcoin Miners in Largest Operation Yet
- Argentina Looks to Emulate El Salvador’s Bitcoin Success
- Argentina Looks to Emulate El Salvador’s Bitcoin Success
- Julian Assange wins right to appeal against extradition to US
- Donald Trump’s campaign says it will begin accepting contributions through cryptocurrency
- Drug traffickers who think they can operate outside the law on the dark web are wrong.
- Bitcoin Scam
- Puzzle mind
- Puzzle mind
- Binance’s billionaire founder Changpeng Zhao was sentenced to four months in prison on Tuesday