BleepingComputer reports that threat actors have launched phishing campaigns involving phony job and recruitment offers to facilitate the spread of the new advanced Warmcookie malware that enables screenshot capturing, machine fingerprinting, and further payload delivery on Windows machines.
Malicious recruitment emails sent by the attackers included a link purporting to be for an internal system containing the job description that redirects targets to spoofed landing pages that seek CAPTCHAs before downloading an obfuscated JavaScript file, which when executed downloads the Warmcookie payload, a report from Elastic Security Labs revealed.
After fingerprinting targeted machines upon ensuring command-and-control communications, Warmcookie proceeds to obtain key device information and screenshots, as well as execute arbitrary commands that underwent integrity check processing, according to researchers.
Aside from enabling program enumeration, file injection, and certain file data exfiltration, Warmcookie also bypasses analysis by not working should the targeted devices have lacking memory values, researchers added.