Hackers target job hunters with dangerous new Windows backdoor — how to stay safe
Looking for a new job now requires an antivirus
Looking for a new job is hard enough as it is but now hackers are using a phishing campaign to infect job seekers with a new Windows-based backdoor.
As reported by The Hacker News, the backdoor in question has been dubbed WARMCOOKIE by researchers at the cybersecurity firm Elastic Security Labs. According to a new report, it’s used to “scout out victim networks and deploy additional payloads.”
Once installed on a victim’s PC, the backdoor can fingerprint infected machines, capture screenshots and drop other Windows malware onto their system.
Here’s everything you need to know about this new Windows backdoor and how you can stay safe when looking for a new job online.
WARMCOOKIE backdoor
This campaign began at the end of April and uses emails that claim to come from recruitment firms such as Hays, Michael Page and PageGroup in its attack chain. These emails try to entice recipients into clicking on an embedded link to view additional details about a job opportunity.
If a potential victim does click on the link contained in these emails, they are then told to download a document by solving a CAPTCHA challenge. Doing so drops a malicious JavaScript file on their PC. It’s worth noting that this campaign uses compromised websites to host its initial phishing URLs which are then used to redirect potential victims to malicious landing pages.
According to Elastic, this obfuscated script runs PowerShell and loads the WARMCOOKIE backdoor onto their PC. The backdoor follows a two-step process which allows for it to establish persistence on the now compromised PC but before doing so, it performs anti-analysis checks to avoid being detected.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Besides capturing information from the infected PC, WARMCOOKIE can also read and write to files, execute commands using cmd.exe, compile a list of installed applications and capture screenshots.
This backdoor doesn’t use automation to install malware onto a Windows PC. Instead, it walks victims through a number of different prompts that hide the intentions of the hackers behind this campaign that ultimately results in their computer being compromised and infected with malware.
How to stay safe from Windows malware
Windows malware comes in many different forms but fortunately, the steps you can take to keep you and your PC safe remain the same across different malware strains.
For starters, you want to ensure that Windows Defender is enabled and up to date. This free antivirus software comes pre-installed on all Windows 10 and Windows 11 PCs in the same way that Apple includes its own X-Protect antivirus software with macOS. For additional protection though and some useful extras like a VPN or password manager, you should also consider installing one of the best antivirus software suites to run alongside it.
From here, you want to be extra careful when checking your inbox. This involves carefully scrutinizing senders’ email addresses to make sure they are legitimate and avoiding downloading any attachments or clicking on links from unknown senders. Hackers use malicious documents and other bogus attachments as an entryway into your PC, so if you don’t know the sender, you should avoid downloading anything that’s sent to you.
As for staying safe during a job hunt, you want to stick to established and trusted sites and services like Indeed, LinkedIn, ZipRecruiter, Monster and GlassDoor. Likewise, if possible, you should try to use your existing connections to see if there are any new positions or opportunities available before heading to a job site to look for work.
WARMCOOKIE may be a newly discovered backdoor but it is quickly gaining popularity among hackers and other cybercriminals as it provides an easy way to infect vulnerable PCs with other types of malware. As such, this likely isn’t the last time that we’ll hear about this particular backdoor being used in cyberattacks.
More from Tom's Guide
- Frontier hack exposed personal info of 750,000 customers including SSNs
- LightSpy spyware can now snoop on your Mac and your iPhone
- Over 500 million hit in massive Ticketmaster data breach — what to do now
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.