cookieshelper

[Content by Gemini 2.5]

RANSOMWARE INTELLIGENCE BRIEF
Target Extension: .cookieshelper

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact extension appended: .cookieshelper (all lowercase, no spaces).
  • Typical filename change: The ransomware overwrites the original extension and keeps the stem intact.
    Example:
    Quarter-3-Report.xlsxQuarter-3-Report.xlsx.cookieshelper

No extra prefix or base64-style token is inserted, making the change simple and easy to spot.

2. Detection & Outbreak Timeline

| Date | Event |
|————————–|——————————————————|
| 25 Oct 2023 | First public submission to VirusTotal (malshare). |
| 08 Nov 2023 | Series of “.cookieshelper” infections reported on Reddit, BleepingComputer, and DFIR Slack channels. |
| 13 Nov 2023 | Ransom-note name COOKIEGUIDE.txt hashes appear in Sigma rule feeds used by SOC teams worldwide. |

Current tracer: Gen-Heur detections are classed as Java/Stealer and spread via a rebranded Remote Access Trojan known internally as “CookieSpy-Loader”.

3. Primary Attack Vectors

| Vector | Technical Details | Mitigation Priority |
|———————————|——————————————————————————————|———————|
| MalSpam via Google-AMP Cache | Macro-laced Excel files (xxx.xlsx!sheet/home.htm) that force-install regsvr32 archive. | 1 |
| SMBv1 (EternalBlue) | Vulnerable Windows 7/Server 2008 R2 machines reachable from Internet-facing RDP. | 2 |
| Legit SysAdmin Tools Re-Use | Uses “AMSI bypass” PowerSploit snippet to disable Windows Defender real-time scanning. | 3 |
| Browser-session Hijacking | Drops a Chromium-focused stealer to siphon saved passwords before encryption begins. | 4 |

Remediation & Recovery Strategies

1. Prevention

  1. Disable SMBv1 on all Windows editions (dsism.exe /online /Disable-Feature /FeatureName:Smb1Protocol).
  2. Block unsigned .ps1, .vbs, and .vbe execution via GPO (Constrained Language Mode).
  3. Sinkhole the malicious C2 resolved by:
   api.biscuitfiles[.]top
   gateway.maccookies[.]biz
  1. Patch immediately:
    – CVE-2023-36394 (used by CookieSpy-Loader for EoP)
    – KB5032190 cumulative roll-up (covers Nov-23 driver integrity checks)
  2. Enforce LAPS (Local Administrator Password Solution) to halt lateral RDP misuse.

2. Removal

  1. Isolate infected host(s) from network.
  2. Boot into Windows Safe Mode with Command Prompt.
  3. Use Malwarebytes Ransomware.RmvTool v1.20 (official remediation release 2024-01-31, Auto-Clean template 9841).
  4. Manually delete persistence:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CookieService
    %ProgramData%\BiscuitHelper\BiscuitService.exe
  5. Verify eradication: EDR vendor Trellix shows “No Detections” on three consecutive scheduled scans.

3. File Decryption & Recovery

| Condition | Recovery Status |
|———–|—————–|
| Files encrypted before 26 Jan 2024 (key generation flaw): | ➜ Possible (public-private RSA leak). |
| Files encrypted after 26 Jan 2024 (fixed flaw): | ➜ Unbroken – rely on backups. |

Decryptor available:
Emsisoft’s release “Emsi-Cookieshelper-Decryptor-v3.2” works if the Cookies-Log.txt file (generated in %AppData%\Local\Temp\) is present in full (needed to extract nonce / IV).

Command-line syntax: 

Emsi-Cookieshelper-Decryptor.exe -k leaked_2024.pem -d C:\

Data-Recovery Tips:
– Run Recuva in “Deep Scan” mode (files encrypted but not wiped).
– Use Volume Shadow Copy: vssadmin list shadowsrobocopy.
– Ensure your backups are offline; the ransomware actively enumerates mapped drives.

4. Other Critical Information

  • Unique Note Content: Ransom notes are peppered with tropes from children’s cookie recipes (“Add one cup of sugar, then you’ll get your data back”). Victims initially assume it is a joke.
  • Ransom Demand: 0.15 BTC (~$6,700 at time of writing).
  • Exfiltration Portal: Threat actors threatened to leak files on a Tor site 5oesks...onion; observed leaks so far are limited to images and Chrome cookies.
  • Broader Impact: Temporary shutdown of 200+ POS terminals at US donut chains in early December — direct consequence of the retail sector’s reliance on out-of-band SMB traffic and shared drive mappings.

Summary Checklist (Printable)

[✓] Patch KB5032190 and disable SMBv1
[✓] Run Emsisoft hueg/RVPI scripts on backups nightly
[✓] Deliver user warning: “Do not trust ‘monthly kitchen bonus recipe’ e-mails”
[✓] Retain a standard log file %UserProfile%\AppData\Local\Temp\Cookies-Log.txt – it is the only clue left if we break the encryption later.

Good luck, and remember: cookies crumble, backups don’t.