Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label latest news. Show all posts

New FakeUpdate Cyber Campaign Spreads Updated WarmCookie Backdoor in France

A new wave of cyberattacks is targeting users in France, exploiting fake browser and software update prompts to spread an updated version of the WarmCookie backdoor. The campaign, dubbed “FakeUpdate,” has been linked to the SocGolish threat group, known for using compromised or fake websites to display deceptive update messages for popular applications like Google Chrome, Mozilla Firefox, Microsoft Edge, and Java. 

When users fall for these fake update alerts and click on them, malicious software is installed on their systems instead of a legitimate update. This payload includes tools like info-stealers, remote access trojans (RATs), cryptocurrency drainers, and ransomware. According to researchers from Gen Threat Labs, the WarmCookie backdoor being distributed in this campaign is more advanced than its previous versions. 

Initially discovered by cybersecurity firm eSentire in 2023, WarmCookie is designed to steal data, capture screenshots, run arbitrary commands, and drop additional malicious files. In this latest campaign, it has been updated with new features, such as the ability to run DLLs from a system’s temporary folder and execute PowerShell and EXE files. The infection chain begins when users click on fake update prompts that closely mimic legitimate update notifications. 

Once clicked, a JavaScript file triggers the download of the WarmCookie installer, which bypasses security checks and installs the backdoor. The malware can evade detection through anti-virtual machine (anti-VM) checks, ensuring it’s not being monitored by security analysts before sending system data to its command and control (C2) server. 

While the attackers are primarily using compromised websites to distribute these fake updates, researchers also identified malicious domains designed to look like official update sites, such as “edgeupdate[.]com” and “mozilaupgrade[.]com.” Experts warn that legitimate browsers, including Chrome, Edge, and Firefox, update automatically and do not require users to manually download update files. 

Any pop-up asking users to do so should be viewed with suspicion and avoided.