Cybersecurity researchers have disclosed details of an ongoing phishing campaign that leverages recruiting- and job-themed lures to deliver a Windows-based backdoor named WARMCOOKIE.

“WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional payloads,” Elastic Security Labs researcher Daniel Stepanic said in a new analysis. “Each sample is compiled with a hard-coded [command-and-control] IP address and RC4 key.”

The backdoor comes with capabilities to fingerprint infected machines, capture screenshots, and drop more malicious programs. The company is tracking the activity under the name REF6127.

The attack chains observed since late April involve the use of email messages purporting to be from recruitment firms like Hays, Michael Page, and PageGroup, urging recipients to click on an embedded link to view details about a job opportunity.

Users who end up clicking on the link are then prompted to download a document by solving a CAPTCHA challenge, following which a JavaScript file (“Update_23_04_2024_5689382.js”) is dropped.

“This obfuscated script runs PowerShell, kicking off the first task to load WARMCOOKIE,” Elastic said. “The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download WARMCOOKIE.”

A crucial component of the campaign is the use of compromised infrastructure to host the initial phishing URL, which is then used to redirect victims to the appropriate landing page.

A Windows DLL, WARMCOOKIE follows a two-step process that allows for establishing persistence using a scheduled task and launching the core functionality, but not before performing a series of anti-analysis checks to sidestep detection.

The backdoor is designed to capture information about the infected host in a manner that’s similar to an artifact used in connection with a previous campaign codenamed Resident that targeted manufacturing, commercial, and healthcare organizations.

It also supports commands to read from and write to files, execute commands using cmd.exe, fetch the list of installed applications, and grab screenshots.

“WARMCOOKIE is a newly discovered backdoor that is gaining popularity and is being used in campaigns targeting users across the globe,” Elastic said.

The disclosure comes as Trustwave SpiderLabs detailed a sophisticated phishing campaign that employs invoice-related decoys and takes advantage of the Windows search functionality embedded in HTML code to deploy malware.

“The provided functionality is relatively straightforward, allowing threat groups that need a lightweight backdoor to monitor victims and deploy further damaging payloads such as ransomware.”

The email messages bear a ZIP archive containing an HTML file, which uses the legacy Windows “search:” URI protocol handler to display a Shortcut (LNK) file hosted on a remote server in the Windows Explorer, giving the impression it’s a local search result.

“This LNK file points to a batch script (BAT) hosted on the same server, which, upon user click, could potentially trigger additional malicious operations,” Trustwave said, adding it could not retrieve the batch script due to the server being unresponsive.

It’s worth noting that the abuse of search-ms: and search: as a malware distribution vector was documented by Trellix in July 2023.

“While this attack does not utilize automated installation of malware, it does require users to engage with various prompts and clicks,” the company said. “However, this technique cleverly obscures the attacker’s true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments.”