Overview

A new wave of cyberattacks has emerged in France, with malicious actors employing a 'FakeUpdate' campaign that tricks users into downloading a dangerous new version of the WarmCookie backdoor through fake browser and application updates.

SocGolish Cyber Threat Group

Known as 'SocGolish,' this cyber threat group is notorious for compromising legitimate websites or crafting fake ones to present users with misleading update notifications for various applications. These commonly include popular web browsers like Chrome, Firefox, and Edge, as well as Java, VMware Workstation, WebEx, and even Proton VPN.

How the Attack Works

When unsuspecting users click on these seemingly genuine update prompts, they inadvertently download a fake update that carries a malicious payload. This payload can range from info-stealers and cryptocurrency drainers to remote access Trojans (RATs) and, in some cases, ransomware—illustrating the serious risks posed by these attacks.

Increase in WarmCookie Distribution

Recent findings by researchers at Gen Threat Labs reveal a significant increase in the distribution of the WarmCookie backdoor in this campaign. This version appears to be masquerading as critical updates for well-known software, which can significantly enhance its chances of successful infiltration.

Background on WarmCookie

Originally uncovered by eSentire in mid-2023, WarmCookie gained notoriety for its distribution through phishing schemes that often involved enticing fake job offers. Its capabilities are extensive and alarming, allowing attackers to engage in data theft, file manipulation, device profiling, and even execute arbitrary commands via the Command Prompt.

Recent Upgrades and Execution

More concerning is its recent upgrade, which allows it to run DLLs from the temporary folder and execute additional malicious files, including EXE and PowerShell scripts.

Infiltration Process

Gen Threat Labs' investigation indicated that the fake browser updates predominantly function as lures, but some campaigns have also promoted fake Java updates, catching even tech-savvy users off guard. The infiltration process begins with a deceptive browser update notice that triggers JavaScript to fetch the WarmCookie installer, leading to the installation of the malware once the user unwittingly saves and executes the file.

Avoiding Detection

As soon as the fake software update is launched, the malware conducts checks to ensure it is not operating within a virtual machine—a common environment used by researchers for cybersecurity analysis. It then sends a fingerprint of the newly infected system to a command and control (C2) server, ready to receive further instructions from the attackers.

Compromised Sites and Suspicious Domains

Interestingly, while Gen Threat Labs emphasized that compromised sites are commonly utilized in these attacks, certain suspicious domain names like "edgeupdate[.]com" and "mozilaupgrade[.]com" appear meticulously chosen to fit the 'FakeUpdate' narrative.

User Precautions

It's crucial for users to remember that modern browsers—such as Chrome, Brave, Edge, and Firefox—implement automatic updates when new versions are available. Manually downloading updates or running updater packages is not standard procedure and should raise alarm bells.

Final Advice

As a preventive measure, users should treat update pop-ups with suspicion, especially when interacting on familiar platforms. Always verify the authenticity of update requests and, when in doubt, visit the official website of the application in question to check for legitimate updates. Stay vigilant, as the threat landscape is evolving with increasingly sophisticated tactics!