From Warm to Burned: Shedding Light on Updated WarmCookie Infrastructure

Introduction

On September 30, Gen Threat Labs posted a warning on X (formerly Twitter), highlighting a new wave of a FakeUpdate campaign using compromised websites to deliver the WarmCookie backdoor. Of note, an updated version of the backdoor adding capabilities was identified, accompanied by indicators of compromise (IoC), including an IP address. 

Using this command-and-control (C2) server as a starting point, we identified a small subset of infrastructure sharing characteristics to the IP reported on X. Certificates and HTTP response patterns played a large role in our findings, which we'll discuss below.

Initial Findings and Research

The IP address 38.180.91[.]117, identified by Gen Threat Labs as a WarmCookie C2 server, is hosted within the Scalaxy B.V. ASN. Four open ports were observed: 22, 443, 3389, and 8080. By querying this IP in Hunt, we can gain additional insight into its operational context, including details on port configurations and certificate history.

Interestingly, no associated resolving domains were detected for this IP. However, a range of certificates, including both RDP and TLS, which shed light on its operational history. These certificates spanned from mid-June 2024, with the most recent first seen just two days prior to this analysis. 

Additionally, HTTP responses helped in connecting other infrastructure to the updated WarmCookie backdoor. Together, these observations hint at a server that might not be static but instead adapting to changing operational requirements.

While the certificate history alone doesn't confirm we are looking at a repurposed server, it does suggest a high probability of regular maintenance or adaptation that could align with the malwares update cycle.

The distinct certificate properties and HTTP responses observed for this server provided key IOCs for expanding our investigation. Below, we'll discuss the additional IP's likely connected to this new version of WarmCookie.

Uncovering Additional Infrastructure

Using Hunt SQL, we executed a query primarily based on the certificate attributes, with the HTTP response adding for verification. This resulted in six additional servers sharing characteristics with the IP in the previous section. The IP addresses are listed below:

• 91.222.173[.]91

• 178.209.52[.]166

• 185.49.68[.]139

• 185.161.251[.]26

• 194.71.107[.]41

• 194.87.45[.]138

The small number of results strongly suggests that we were indeed tracking relevant infrastructure connected to the updated WarmCookie backdoor.

To further validate our findings, we cross-referenced our results with publicly available sources. Resources such as VirusTotal and ThreatFox proved particularly valuable in this process.

Our scans revealed servers active from late September onward, aligning closely with the IPs listed in ThreatFox, and public reporting.

Shared SSH Keys

Upon reviewing the IPs returned from our query, we found that most yielded nothing significant to pivot on. That was until we got to 91.222.173[.]91, which using the Associations tab in Hunt revealed an interesting connection. This server shared an SSH key (fingerprint: 888f05c2856ad60c5ab1e9826b57b87ae697d16303304959930f4b7e149458ac) with 24 other servers, suggesting a potential network tied to WarmCookie, or use of a standard server image with a pre-configured SSH key that was shared/leaked.

To better understand the associations and the extent of WarmCookies operational reach, we've provided a list of the IPs and any linked domains for defenders to comb through. If you come across something interesting (we did!) let us know.

IPs Sharing SSH Keys

One of the IPs in the above table, 91.222.173[.]140, hosted within the SOLLUTIUM EU Sp z.o.o. ASN, has been flagged as a DarkGate C2 server with two recent files--Notepad++.exe and upd_1602649.msix--actively communicating with the IP.

Given that WarmCookie has been observed in tandem with other known malware families, the presence of a DarkGate C2 within this infrastructure may not be entirely surprising. Still, this finding raises intriguing questions for further investigation, which we leave as an exercise for our readers.

Conclusion

In conclusion, our analysis of WarmCookie's updated infrastructure has uncovered key indicators, linked servers, and potential overlaps with other malware like DarkGate. While we've shared substantial findings that provide a deeper look into this evolving threat, we're withholding the full detection query to continue monitoring this activity.

 While not a major player in the malware landscape, WarmCookie remains worth monitoring for its potential to gain more traction among threat actors.

Thank you for reading, and stay tuned for future updates as we continue tracking this and related threats.

Network Observables