One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8592176 |
| Date de publication | 2024-10-04 18:49:08 (vue: 2024-10-04 19:18:09) |
| Titre | Fake browser updates spread updated WarmCookie malware |
| Texte | #### Targeted Geolocations - France ## Snapshot [Gen Threat Labs](https://x.com/GenThreatLabs/status/1840762181668741130) has uncovered a new campaign that uses fake browser and application updates to distribute an updated version of the WarmCookie backdoor. The attackers, using the \'[FakeUpdates](https://security.microsoft.com/threatanalytics3/fad0849c-e0a9-47df-8094-ce6e3c7a658b/analystreport)\' method, target users in France, spreading malware through compromised websites that mimic legitimate browser update notifications. ## Description The WarmCookie backdoor, first discovered in 2023, has been observed in [phishing campaigns](https://security.microsoft.com/intel-explorer/articles/d5d815ce) and possesses capabilities such as data theft, device profiling, program enumeration via the Windows registry, arbitrary command execution through CMD, screenshot capturing, and delivering additional malware payloads. In this recent campaign, attackers distributed fake update prompts for Google Chrome, Mozilla Firefox, Microsoft Edge, and Java, tricking users into downloading the malicious WarmCookie payload. The attack begins when a user clicks on a fake update notification. This triggers JavaScript to fetch the WarmCookie installer, prompting the user to save the file. The malware now includes updated features like running DLLs from the temp folder, utalizing rundll32.exe, and send back output. It also includes transferring and executing EXE and PowerShell files. Once installed, WarmCookie performs anti-VM checks to avoid detection. It also sends the system\'s fingerprint back to its command-and-control (C2) server for further instructions. ## Microsoft Analysis Despite being an older social engineering tactic observed in 2019, FakeUpdates remains a persistent social engineering tactic, with cybercriminals actively using and adapting its techniques, integrating it into new attack chains. In 2020, cybercriminals employed the "[SocGholish](https://security.microsoft.com/threatanalytics3/985b6e5b-75b1-4d25-8602-1b6e9d34c9a2/overview)" malware distribution framework in FakeUpdates campaigns, some of which signed binaries like rundll32.exe and various second-stage payloads. This framework, embedded in legitimate sites, entices users to install fake updates for browsers and other software. This leads to malware infections. The process mostly requires human interaction, where targets are convinced to download installers or updates from a compromised site. Fake updates have been offered as JavaScript or ZIP files containing .js file. Once the malware is opened, it sends the information back to C2. The impact of these attacks depends on security weaknesses within the infected environments, which allow attackers lateral movement. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Pilot and deploy [phishing-resistant authentication methods](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods) for users. - Enforce MFA on all accounts, remove users excluded from MFA, and strictly [require MFA](https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy) from all devices in all locations at all times. - Configure Microsoft Defender for Office 365 to [recheck links on click](https://learn.microsoft.com/en-us/defender-office-365/safe-links-about). Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular [anti-spam](https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about) and [anti-malware](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about) protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Li |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #### **© 1b6e9d34c9a2/overview 2019 2020 2023 2024 2024** 365 365/anti 365/safe 47df 4d25 75b1 8094 8602 about accessed accessing accounts action actively activity adapting addition additional age alert alerts all allow also analysis anti antivirus any application applications arbitrary are attack attackers attacks authentication automated avoid back backdoor based been begins being binaries bleeping bleepingcomputer block blocks breaches browser browsers campaign campaigns can capabilities capturing ce6e3c7a658b/analystreport chains changes checks chrome click clicks cloud cmd com/en com/genthreatlabs/status/1840762181668741130 com/intel com/news/security/fake com/threatanalytics3/985b6e5b com/threatanalytics3/fad0849c command common compromised computer configure containing content control convinced copyright cover criterion customers cybercriminals data defender delivered delivering depends deploy description despite detection device devices discovered distribute distributed distribution dlls domains download downloaded downloading e0a9 edge email embedded employed enable encourage endpoint endpoint/attack endpoint/automated endpoint/cloud endpoint/enable endpoint/prevent enforce engineering entices enumeration environments eop equivalent evolving exchange excluded exe executable executing execution explorer/articles/d5d815ce fake fakeupdates fakeupdates: fakeupdatescampaigns features fetch file files fingerprint firefox first flow folder following framework france from full further gen geolocations good google has have help here host https://learn https://security https://www https://x human identifies identity immediate impact inbound includes including infected infections information install installed installer installers instructions integrating intentions interaction internet investigation investigations its java javascript job labs lateral launching leads learndoc learning legitimate like links list locations machine mail majority malicious malware malware/ management manager meet messages method methods mfa microsoft mimic mitigations mode mostly movement mozilla network new notification notifications now obfuscated observed occurs ocid=magicti offered offers office older once online on opened organization other output part password payload payloads performs permission persistent phishing pilot policy possesses potentially powershell prevalence prevent preying process product profile: profiling program prohibited prompting prompts protect protection protection/howto protections provides pushed rapidly read recent recheck recommendations recommends reduce reducing reduction reference#block references registry regular remains remediation remove reproduction require requires reserved resistant resolve rewriting rights rules rundll32 running safe save scam scanning screenshot scripts second security send sends server services settings sharepoint signed significantly site sites smartscreen snapshot socgholish social software some spam spread spreading stage stopping strictly such support surface system tactic take tamper target targeted targets teams techniques techniques: temp theft thereof these threat through time times tool tools to transferring tricking triggers trusted turn uncovered unknown unless update updated updates url urls us/defender us/deployedge/microsoft us/entra/id us/entra/identity/authentication/concept use used user users uses using utalizing variants various vbscript verification version volume warmcookie weaknesses web websites when where which windows within without written xdr your zip and features for from in protection to |
| Tags | Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.