Watch out!

Cybersecurity researchers at Gen Threat Labs have detected several websites distributing malware known as WarmCookie, which is disguised as updates for popular software. These websites were either built from scratch or were legitimate at some point before being taken over by attackers. According to experts, all of these sites displayed a false alert to visitors, claiming that various components of their computers were outdated and needed to be updated.

The affected components included web browsers, Java, VMware Workstation, WebEx, and Proton VPN. Users who fell for the trap and accepted the download ended up installing a backdoor called WarmCookie, which was first identified in mid-2023.

WarmCookie is particularly dangerous as it has the ability to steal data and files, enumerate programs through the Windows Registry, execute arbitrary commands via CMD, take screenshots, and deploy additional payloads on the victims' systems at the operator's discretion. Additionally, this malware can execute DLLs from the temporary folder, send execution results, and transfer EXE and PowerShell files.

Fake update attacks are not a recent phenomenon; in fact, they have existed almost since the dawn of the internet and are based on deceiving the visitor into believing that their computer is at risk. In its simplest form, this attack can present itself as a simple popup warning.

To protect against these attacks, it is crucial to understand how most of these programs communicate with their users and how they update. Generally, most browsers update automatically and do not ask users to download or execute executable files. Other programs require the user to visit the official page to download a new installation file, which, in most cases, replaces the existing installation. Having antivirus software is also an important protective measure.