The WINELOADER backdoor utilized in latest cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia’s Foreign Intelligence Service (SVR), which was dependable for breaching SolarWinds and Microsoft.
The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) utilised the malware to focus on German political functions with phishing emails bearing a symbol from the Christian Democratic Union (CDU) around February 26, 2024.
“This is the initial time we have noticed this APT29 cluster goal political functions, indicating a achievable region of rising operational focus beyond the normal targeting of diplomatic missions,” scientists Luke Jenkins and Dan Black claimed.
WINELOADER was initially disclosed by Zscaler ThreatLabz last thirty day period as part of a cyber espionage campaign that is believed to have been ongoing given that at the very least July 2023. It attributed the activity to a cluster dubbed SPIKEDWINE.
Attack chains leverage phishing e-mails with German-language entice content that purports to be an invite for a evening meal reception to trick recipients into clicking on a phony website link and downloading a rogue HTML Application (HTA) file, a first-stage dropper termed ROOTSAW (aka EnvyScout) that acts as a conduit to provide WINELOADER from a remote server.
“The German-language entice document consists of a phishing link directing victims to a malicious ZIP file that contains a ROOTSAW dropper hosted on an actor-managed compromised web page,” the researchers mentioned. “ROOTSAW shipped a next-phase CDU-themed lure document and a next stage WINELOADER payload.”
WINELOADER, invoked by way of a technique known as DLL facet-loading employing the legitimate sqldumper.exe, will come outfitted with qualities to contact an actor-managed server and fetch further modules for execution on the compromised hosts.
It is reported to share similarities with known APT29 malware family members like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the function of a popular developer.
WINELOADER, for every the Google Cloud subsidiary, has also been utilized in an procedure focusing on diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024.
“ROOTSAW proceeds to be the central part of APT29’s preliminary obtain initiatives to obtain international political intelligence,” the company explained.
“The initial-stage malware’s expanded use to focus on German political functions is a mentioned departure from the typical diplomatic aim of this APT29 subcluster, and practically certainly demonstrates the SVR’s interest in gleaning details from political parties and other areas of civil society that could advance Moscow’s geopolitical passions.”
The progress arrives as German prosecutors have billed a military officer, named Thomas H, with espionage offenses just after he was allegedly caught spying on behalf of Russian intelligence companies and passing on unspecified sensitive facts. He was arrested in August 2023.
“From May possibly 2023, he approached the Russian Consulate Normal in Bonn and the Russian Embassy in Berlin a number of occasions on his have initiative and provided to cooperate,” the Office environment of the Federal Prosecutor explained. “On just one event, he transmitted information that he experienced obtained in the system of his experienced pursuits for forwarding to a Russian intelligence services.”
Identified this posting appealing? Comply with us on Twitter and LinkedIn to read a lot more special content we post.
Some parts of this article are sourced from:
thehackernews.com