WarmCookie Malware Hijacking Google Accounts

Report Updated: October 19, 2024

Threat Group: SocGolish
Threat Type: Backdoor Malware
Exploited Vulnerabilities: Misleading browser update pop-ups
Malware Used: WarmCookie
Threat Score: 8.2/10 (High risk due to widespread phishing campaigns and advanced backdoor capabilities)
Last Threat Observation: October 7, 2024

Overview

WarmCookie is a Windows backdoor malware initially discovered in mid-2023 and is currently spreading through a FakeUpdate campaign. This malware is distributed by hijacking legitimate websites to display fake browser or application updates for Google Chrome, Mozilla Firefox, Microsoft Edge, and Java. The malware's primary targets are users in France and other regions affected by the SocGolish threat group. Once installed, WarmCookie enables attackers to perform data theft, device profiling, arbitrary command execution, and more, making it a significant security concern.

Key Details

• Delivery Method: Fake browser and software updates (Google Chrome, Firefox, Edge, Java).
• Target: Primarily French users, with potential for global reach.
• Functions:
  • File and data theft.
  • Device profiling and screenshot capturing.
  • Execution of EXE, PowerShell, and DLL files.
  • Deployment of additional payloads.
  • Persistence through Windows Task Scheduler.

Attack Vectors

WarmCookie is delivered primarily through phishing campaigns and fake software update pop-ups, a technique used by the SocGolish threat group. Users are tricked into downloading malicious payloads disguised as legitimate software updates. Upon installation, the malware runs anti-analysis checks and communicates with a command-and-control (C2) server for further instructions, such as executing PowerShell scripts, loading DLLs, and transferring data.

Indicators of Compromise (IoCs)

Domains:

• edgeupdate[.]com
• mozilaupgrade[.]com

File Paths:

%LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Data

Registry Keys:

HKCU\Software\Google\Chrome\PreferenceMACs\Default\Extensions\lmhojphfgmoabccjaafidpjphflmjhil

IP Addresses (as of 7 June 2024):

185[.]49.70.98

87[.]251.67.92

80[.]66.88.146

185[.]49.69.41

File Hash (SHA256):

ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13

Exploited Vulnerabilities

• Google OAuth MultiLogin Endpoint: Attackers use this endpoint to synchronize Google accounts across services. By extracting token-GAIA ID pairs, they regenerate Google cookies, providing persistent access to victim accounts​.

Affected Groups

The technique has been rapidly adopted by several infostealer malware groups, including:

• Lumma
• Rhadamanthys
• Risepro
• Meduza
• Stealc
• White Snake

Mitigation Strategies

1. Enhanced Safe Browsing: Enable this feature in Chrome to protect against phishing and malware downloads.
2. Regular Sign-Out: Ensure regular sign-out from all devices to invalidate stolen session tokens.
3. Endpoint Protection: Use robust endpoint protection solutions to detect and remove malware.
4. Network Monitoring: Implement monitoring to detect unusual traffic patterns indicative of data exfiltration.

Google's Response

Google has acknowledged the issue and taken steps to secure compromised accounts. They emphasize that users can invalidate stolen sessions by signing out from affected browsers or using the remote session termination feature available in their Google account settings.

Recommendations

• Awareness and Training: Educate users about the risks of downloading untrusted software and the importance of maintaining up-to-date security practices.
• Regular Updates: Keep browsers and security software updated to protect against the latest threats.
• Incident Response: Develop a comprehensive incident response plan to quickly address any potential compromises.

Conclusion

WarmCookie poses a significant risk to organizations due to its advanced backdoor functionalities and widespread distribution through phishing campaigns. Organizations must remain vigilant and enforce strict policies around software updates and email security to mitigate this threat.

• BleepingComputer: Fake browser updates spread WarmCookie malware
• iZOOlogic: WarmCookie malware spreads via FakeUpdate
• Elastic Security Labs: Dipping into Danger: The WARMCOOKIE backdoor