Fake browser updates spread updated WarmCookie malware

A new ‘FakeUpdate’ campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie backdoor.

FakeUpdate is a cyberattack strategy used by a threat group known as ‘SocGolish’ who compromises or creates fake websites to show visitors fake update prompts for a variety of applications, such as web browsers, Java, VMware Workstation, WebEx, and Proton VPN.

When users click on update prompts designed to appear legitimate, a fake update is downloaded that drops a malicious payload, like info-stealers, cryptocurrency drainers, RATs, and even ransomware.

The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates.

WarmCookie, first discovered by eSentire in mid-2023, is a Windows backdoor recently seen distributed in phishing campaigns using fake job offers as lures.

Its broad capabilities include data and file theft, device profiling, program enumeration (via the Windows Registry), arbitrary command execution (via CMD), screenshot capturing, and the ability to introduce additional payloads on the infected system.

In the latest campaign spotted by Gen Threat Labs, the WarmCookie backdoor has been updated with new features, including running DLLs from the temp folder and sending back the output, as well as the ability to transfer and execute EXE and PowerShell files.

The lure used to trigger the infection is a fake browser update, which is common for FakeUpdate attacks. However, Gen Digital also found a site where a fake Java update was promoted in this campaign.

The infection chain starts with the user clicking on a fake browser update notice, which triggers JavaScript that fetches the WarmCookie installer and prompts the user to save the file.

When the fake software update is executed, the malware performs some anti-VM checks to ensure it’s not running on an analyst’s environment and sends the newly infected system’s fingerprint to the command and control (C2) server, awaiting instructions.

Although Gen Threat Labs says the attackers use compromised websites in this campaign, some of the domains shared in the IoC section, like “edgeupdate[.]com” and “mozilaupgrade[.]com,” seem specifically selected to match the ‘FakeUpdate’ theme.

Remember, Chrome, Brave, Edge, Firefox, and all modern browsers are automatically updated when new updates become available.

A program restart may be needed for an update to be applied to the browser, but manually downloading and executing updater packages is never a part of an actual update process and should be seen as a sign of danger.

In many cases, FakeUpdates compromise legitimate and otherwise trustworthy websites, so these pop-ups should be treated with caution even when you’re on a familiar platform.