A formerly undocumented risk actor dubbed SPIKEDWINE has been observed concentrating on officials in European nations with Indian diplomatic missions utilizing a new backdoor referred to as WINELOADER.
The adversary, according to a report from Zscaler ThreatLabz, utilized a PDF file in e-mail that purported to arrive from the Ambassador of India, inviting diplomatic staff to a wine-tasting party on February 2, 2024.
The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That explained, there is evidence to suggest that this campaign might have been active at the very least given that July 6, 2023, likely by the discovery of another related PDF file uploaded from the very same region.
“The attack is characterized by its extremely minimal quantity and the highly developed strategies, procedures, and treatments (TTPs) utilized in the malware and command-and-regulate (C2) infrastructure,” security researchers Sudeep Singh and Roy Tay explained.
Central to the novel attack is the PDF file that comes embedded with a malicious link that masquerades as a questionnaire, urging the recipients to fill it out in buy to take part. Clicking on the backlink paves the way for an HTML application (“wine.hta”) that is made up of obfuscated JavaScript code to retrieve an encoded ZIP archive bearing WINELOADER from the exact same area.
The malware is packed with a main module that’s intended to Execute modules from the C2 server, inject alone into a further dynamic-hyperlink library (DLL), and update the slumber interval among beacon requests.
A noteworthy aspect of the cyber incursions is the use of compromised internet websites for C2 and hosting intermediate payloads. It is really suspected that the “C2 server only responds to precise styles of requests at specified moments,” thereby building the attacks more evasive.
“The danger actor place more work into remaining undetected by evading memory forensics and automatic URL scanning solutions,” the researchers stated.
Uncovered this short article intriguing? Comply with us on Twitter and LinkedIn to study extra distinctive content material we publish.
Some parts of this article are sourced from:
thehackernews.com