Cybersecurity researchers at Gen Threat Labs have observed multiple websites distributing a piece of malware called WarmCookie, disguised as updates to popular software.
These websites were either built from scratch or were once legitimate and then taken over at some point, the experts noted, but they all gave a false warning to visitors that various parts of their computers were outdated and needed to be updated.
These were their web browsers, Java, VMware Workstation, WebEx or Proton VPN – and visitors who fell for the trick and accepted the download were given a backdoor called WarmCookie – a piece of malware first noticed in mid-2023.
WarmCookie backdoor
The experts have warned that the malware can steal data and various files, enumerate programs via Windows registry, perform arbitrary command execution via CMD, take screenshots and drop additional payloads to the target endpoints as per the operator’s wish.
In addition, WarmCookie can run DLLs from the temporary directory and return the output, and transfer and run EXE and PowerShell files.
Fake update attacks are nothing new. In fact, they are as old as the Internet itself, and are all about making the visitor think that his or her computer is at risk. At its most basic level, the attack is nothing more than a pop-up.
The best way to protect yourself against these attacks is to learn how most of these programs communicate with their users and how they are updated. Most browsers update automatically and never ask their users to download and run an executable file. Other programs usually require the user to visit the official homepage and download a new installation file, which usually overwrites the existing installation. It also helps to install an antivirus program.
Via BleepingComputer