New WarmCookie/BadSpace Malware Targets Organizations

Espionage Group Daggerfly

Cisco Talos researchers uncovered a new and highly adaptive malware family, WarmCookie, also referred to as BadSpace. This malware has been actively used since April 2024, targeting organizations across various sectors through carefully crafted campaigns. WarmCookie delivers a range of functionalities, from command execution to file manipulation and screenshot collection, making it an attractive tool for cybercriminals looking for persistent access to compromised networks.

The initial stages of infection are often initiated through malspam or malvertising. “These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie,” Cisco Talos researchers noted. Malicious emails, often disguised as invoices or job offers, entice victims to click on hyperlinks or open infected PDFs, starting the malware download process.

WarmCookie/BadSpace

WarmCookie emails and attachments | Image: Cisco Talos

Once the malware makes its way onto the target system, it can act as a staging platform for further attacks. Cisco Talos observed that WarmCookie is typically followed by the deployment of CSharp-Streamer-RAT or Cobalt Strike, both well-known tools used by attackers to maintain control over compromised systems.

One of WarmCookie’s key strengths is its versatility. The malware offers attackers a wide array of tools to gain and maintain control over a target system. Researchers from Cisco Talos found that “WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence.”

WarmCookie is particularly dangerous because of its ability to evade detection and persist within a network. Recent campaigns have shown improvements in how WarmCookie hides its activities, making it harder for defenders to spot. For instance, the malware’s user agent strings, which were previously flawed and easily detectable, have been corrected in newer samples, demonstrating that WarmCookie is continually being refined by its developers.

According to Cisco Talos, the malware’s developers have added new features, including “a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server.” This allows attackers to adjust their malware, deploy new payloads, or refine existing ones based on the environment they encounter.

Additionally, WarmCookie has seen changes in how it establishes persistence on infected systems. In earlier samples, WarmCookie executed using a specific command-line parameter. However, in the latest version, this syntax has been slightly altered. The researchers observed that “the execution was consistent with the following: rundll32.exe <DLL_Filename>,Start /p,” which has now been modified to /u in updated samples.

WarmCookie has several connections to known threat actors and malware families. Cisco Talos has found significant overlaps between WarmCookie and the Resident backdoor malware, suggesting that both were likely developed by the same threat actor. “We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samplesand observed several notable similarities,” the report stated. These similarities include consistent implementation of RC4 encryption, mutex management, and persistence mechanisms, hinting at a shared development process.

Further analysis also revealed links between WarmCookie and TA866, a known threat actor involved in previous campaigns.

Related Posts: