Ransomware/Malware Activity
WARMCOOKIE Backdoor Distributed via Fake Job Offers
Researchers at Elastic Security Labs have reported on an ongoing malware campaign pushing the “WARMCOOKIE” Windows backdoor via fake employment opportunities. The victims of the campaign are initially sent an email purportedly from a company interested in hiring the individual. The email encourages the victim to click on a link to take them to the company’s internal recruitment platform to learn more. The link directs victims to a landing page which prompts the victim to solve a CAPTCHA prior to downloading a JavaScript file containing malicious code. The JavaScript file leverages Window’s Background Intelligence Transfer Service (BITS) to download the WARMCOOKIE DLL file which is executed via rundll32.exe. WARMCOOKIE collects background information on the infected host which is encrypted and sent to the attacker C2. The backdoor’s main capabilities include capturing screenshots, enumerating the registry key, executing arbitrary commands, dropping files, and reading file contents. It is important to note that the backdoor can be a gateway to other malicious forms of malware. This is not the first time WARMCOOKIE has been observed, as it was previously discovered by researchers at eSentire around June 2023. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Bleeping Computer: WARMCOOKIE Windows Backdoor Pushed via Fake Job Offers
- The Hacker News: New Phishing Campaign Deploys WARMCOOKIE
Threat Actor Activity
Crypter Specialist Linked to Conti and LockBit Ransomware Arrested
Ukrainian cyber police have made a significant arrest in Kyiv, detaining a 28-year-old Russian man linked to the notorious Conti and LockBit ransomware operations. The Ukrainian programmer faces up to fifteen (15) years in prison if convicted. This arrest, part of 'Operation Endgame,' was facilitated by information from Dutch police following a ransomware attack on a multinational in the Netherlands. The suspect specialized in creating custom crypters, tools designed to disguise ransomware payloads as harmless files, thereby evading detection by popular antivirus products. His services were sold to both Conti and LockBit groups, enhancing their ability to breach networks successfully. LockBit and Conti have been among the most prolific ransomware groups, with LockBit's malware disrupting thousands of businesses globally including Boeing and the UK’s Royal Mail, and Conti being notorious for targeting US healthcare organizations. This arrest comes at a time when global law enforcement agencies are intensifying efforts to combat cybercrime. Just last month, the U.S. Justice Department announced the arrest of Rui-Siang Lin, a Taiwanese national connected to the illegal dark web narcotics marketplace, Incognito Market. Earlier in February, efforts were made to shut down the LockBit extorsion site, but it resurfaced again in May. While unsuccessful in shutting the extortion site down, the FBI did gain possession of up to 7,000 decryption keys that can be used to help LockBit victims reclaim their data. This series of arrests and takedowns, including the recent Operation Endgame, signals a significant blow to cybercriminal networks and emphasizes the international cooperation among law enforcement agencies to tackle the evolving threat of cybercrime.
- The Hacker News: Crypter Specialist Article
- The Record: Crypter Specialist Article
- Bleeping Computer: Crypter Specialist Article
Vulnerabilities
Black Basta Actively Exploiting Critical Windows Privilege Escalation Vulnerability to Deliver Ransomware
The Black Basta ransomware group, linked to the Cardinal cybercrime group (also known as Storm-1811 and UNC4393), is suspected of exploiting a high-severity privilege escalation vulnerability in the Windows Error Reporting Service as a zero-day. This flaw, tracked as CVE-2024-26169 (CVSS score of 7.8/1-), allows attackers to gain SYSTEM-level privileges and was patched by Microsoft in March 2024. Symantec's analysis suggests the exploit tool was active before the patch, possibly as early as December 2023, indicating zero-day exploitation. Black Basta, known for leveraging initial access through malware like QakBot and DarkGate, has recently used legitimate Microsoft products such as Quick Assist and Teams to impersonate IT personnel and execute attacks. The exploit tool manipulates registry keys to launch a shell with administrative privileges. Despite potential timestamp falsification, the motive appears minimal. Black Basta, with ties to the defunct Conti syndicate, has caused over 500 breaches since April 2022 and extorted over $100 million. The resurgence of ransomware, marked by new variants like DORRA and increased ransom payments, underscores the evolving threat landscape. Applying the latest security updates remains crucial for mitigation. According to Symantec’s protection bulletin, the best course of action to take to defend from exploitation is through VMware Carbon Black products. “The recommended policy at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from VMware Carbon Black Cloud reputation service.”
- Bleeping Computer: CVE-2024-26169 Article
- The Hacker News: CVE-2024-26169 Article
- Symantec: CVE-2024-26169 Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
