2024-10-23 TALOS Threat Spotlight: WarmCookie/BadSpace
Summary: WarmCookie, also known as BadSpace, is a sophisticated malware family that emerged in April 2024, primarily distributed through malspam and malvertising. This malware provides long-term access to compromised environments and facilitates the deployment of additional payloads, such as CSharp-Streamer-RAT and Cobalt Strike. Its infection chains and functionality highlight notable development links to Resident backdoor, indicating possible shared authorship by TA866.
WarmCookie’s infection chain initiates through email lures—typically invoice-related and job agency themes—that direct victims to malicious JavaScript-hosting servers. The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL, embedding itself in the system with persistence.
Persistence: WarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay. The latest version modifies the typical command-line syntax from /p to /u for execution parameters.
Command-and-Control (C2) Adaptation: TA866 previously used unique, detectable C2 user-agent strings (e.g., Mozilla/4.0 (compatible; MSIE 6.0…)), which have since been updated to blend with standard strings like Mozilla/5.0… Firefox/115.0.
Self-Updating Mechanism: An initial implementation of a self-update command allows WarmCookie to receive updates dynamically from its C2 server, although this feature appears incomplete.
C2 Command Updates
The latest WarmCookie samples feature new C2 commands:
Command 0x8: Receives a DLL from C2, assigns it a temporary filename, and executes it.
Command 0xA: Similar to Command 0x8 but adds hardcoded parameters, allowing self-updating.
Command 0xB: Moves the malware to a new temporary filename and deletes the scheduled task to disable persistence and terminate the malware process.
Code and Function Similarities to Resident Backdoor
A code-level comparison between Resident backdoor and WarmCookie shows:
RC4 Decryption Consistency: Both use identical RC4 implementations and mutex management, often employing GUID-like strings for mutexes.
Startup Logic: Both use similar logic for identifying execution as a DLL or EXE and establishing persistence through scheduled tasks. They both use rundll32.exe for DLL-based execution and task scheduling.
Coding Conventions: Functions, parameter passing, and persistence mechanisms align closely, suggesting shared development practices or authorship.
File Information