A new malware family named WarmCookie, also known as BadSpace, has been actively distributed through malspam and malvertising campaigns since April 2024.
See: https://redskyalliance.org/xindustry/windows-backdoor-to-push-badspace
According to a blog post from Cisco Talos published on 23 October 2024, the malware facilitates persistent access to compromised networks. It has been observed as an initial payload, often leading to the deployment of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. WarmCookie campaigns use a variety of lure themes, such as job offers or invoices, to entice victims into clicking malicious links. These campaigns frequently deliver WarmCookie via email attachments or embedded hyperlinks that initiate the infection process.[1]
The malware offers extensive functionality, including command execution, screenshot capture, and payload deployment, making it a valuable tool for maintaining long-term control of compromised systems. The analysis also links WarmCookie to a threat group known as TA866, which has been active since 2023. WarmCookie shares similarities with another malware family, Resident Backdoor, previously deployed in TA866 campaigns. Researchers noted overlaps in core functionality and coding conventions, suggesting that the same entity likely developed both malware families.
“While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support than Resident backdoor,” Cisco Talos clarified. “Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter, and AHK Bot.”
WarmCookie’s infection chain typically starts with malicious JavaScript downloaders delivered through either malspam or malvertising. Once executed, these scripts retrieve the WarmCookie payload, allowing the attackers to maintain persistent access within the compromised environment.
The latest samples observed by Cisco Talos show that WarmCookie is evolving, with updates to its persistence mechanism, command structure, and sandbox detection capabilities. “Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added,” the firm explained.
The researchers expect WarmCookie to continue evolving as threat actors refine its functionality. Its connection to TA866 and the similarities with Resident backdoor highlight a continued effort to build and maintain sophisticated tools for long-term cyber espionage and exploitation.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.infosecurity-magazine.com/news/malware-warmcookie-users-malicious/
Comments