Cybersecurity researchers from Gen Threat Labs have observed multiple websites distributing a piece of malware called WarmCookie disguised as updates for popular softwarre.
These websites were either built from scratch, or were legitimate once and then taken over at some point, the experts noted, but were all seen serving a fake warning to the visitors, that different components of their computer were out of date and required updating.
These were either their web browsers, Java, VMware Workstation, WebEx, or Proton VPN – and visitors that fell for the trick and accepted the download were dropped a backdoor called WarmCookie – a piece of malware that was first spotted in mid-2023.
WarmCookie backdoor
The experts have warned the malware can steal data and different files, enumerate programs via the Windows Registry, run arbitrary command execution via CMD, grab screenshots, and drop additional payloads to the target endpoints, at the operator’s will.
What’s more, WarmCookie can run DLLs from the temp folder and send back the output, and transfer and execute EXE and PowerShell files.
Fake update attacks are nothing new – in fact, they are as old as the internet itself, and revolve around tricking the visitor into thinking their computer is at risk. At its most basic level, the attack is nothing more than a popup.
The best way to defend against these attacks is to learn how most of these programs communicate with their users, and how they are updated. Most browsers update automatically, and never ask their users to download and run an executable file. Other programs usually require the user to visit the official home page and download a new installation file which, most of the time, overwrites the existing installation. Also, having an antivirus program installed helps.
Via BleepingComputer
Hackers have been spreading malware via fake Chrome updatesHere’s a list of the best firewalls around todayThese are the best endpoint security tools right now