Getting cozy with milk and WARMCOOKIES - Daniel Stepanic (Elastic)

Presented at the VB2024 conference in Dublin, 2 - 4 October 2024. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/slides/Slides-Getting-cozy-with-milk-and-WARMCOOKIES.pdf ↓ Paper: N/A → Details: https://www.virusbulletin.com/conference/vb2024/abstracts/getting-cozy-milk-and-warmcookies/ ✪ PRESENTED BY ✪ • Daniel Stepanic (Elastic) ✪ ABSTRACT ✪ WARMCOOKIE is a newly discovered Windows backdoor targeting organizations with an uptick earlier this year. The backdoor includes capabilities to capture screenshots and deploy additional payloads. Our team has observed WARMCOOKIE being distributed in multiple spam campaigns with different infection chains. From impersonating international staffing firms to equipment rental companies, email lures are specially crafted targeting users worldwide. In the talk, we will review the history of WARMCOOKIE with code overlap from previous findings by eSentire. The audience will learn the infection chain of WARMCOOKIE with context at each step with different examples. During the presentation, we will talk about our investigation and the analysis used to track the infrastructure used in WARMCOOKIE infections. While moving deeper into the presentation, we will review the malware analysis aspects of WARMCOOKIE. This will include walking through its different capabilities such as anti-analysis, string encryption, communication, and custom structures along with the underlying command handlers. From our side, WARMCOOKIE represents a new wave of loaders (PIKABOT, LATRODECTUS) offering a set of minimum required functionality needed by threat actors. To this day, we are still seeing ongoing activity distributing WARMCOOKIE. Throughout the talk, we will disclose detection strategies in addition to releasing tooling to interact with the malware in a closed environment.