The WINELOADER backdoor utilized in current cyber assaults concentrating on diplomatic entities with wine-tasting phishing lures has been attributed because the handiwork of a hacking group with hyperlinks to Russia’s Overseas Intelligence Service (SVR), which was liable for breaching SolarWinds and Microsoft.
The findings come from Mandiant, which mentioned Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) used the malware to focus on German political events with phishing emails bearing a emblem from the Christian Democratic Union (CDU) round February 26, 2024.
“That is the primary time we now have seen this APT29 cluster goal political events, indicating a attainable space of rising operational focus past the typical concentrating on of diplomatic missions,” researchers Luke Jenkins and Dan Black mentioned.
WINELOADER was first disclosed by Zscaler ThreatLabz final month as a part of a cyber espionage marketing campaign that is believed to have been ongoing since no less than July 2023. It attributed the exercise to a cluster dubbed SPIKEDWINE.
Assault chains leverage phishing emails with German-language lure content material that purports to be an invitation for a dinner reception to trick recipients into clicking on a phony hyperlink and downloading a rogue HTML Software (HTA) file, a first-stage dropper referred to as ROOTSAW (aka EnvyScout) that acts as a conduit to ship WINELOADER from a distant server.
“The German-language lure doc accommodates a phishing hyperlink directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised web site,” the researchers mentioned. “ROOTSAW delivered a second-stage CDU-themed lure doc and a subsequent stage WINELOADER payload.”
WINELOADER, invoked by way of a method referred to as DLL side-loading utilizing the official sqldumper.exe, comes geared up with talents to contact an actor-controlled server and fetch further modules for execution on the compromised hosts.
It is mentioned to share similarities with identified APT29 malware households like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a standard developer.
WINELOADER, per the Google Cloud subsidiary, has additionally been employed in an operation concentrating on diplomatic entities within the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024.
“ROOTSAW continues to be the central element of APT29’s preliminary entry efforts to gather international political intelligence,” the corporate mentioned.
“The primary-stage malware’s expanded use to focus on German political events is a famous departure from the standard diplomatic focus of this APT29 subcluster, and nearly actually displays the SVR’s curiosity in gleaning info from political events and different elements of civil society that might advance Moscow’s geopolitical pursuits.”
The event comes as German prosecutors have charged a army officer, named Thomas H, with espionage offenses after he was allegedly caught spying on behalf of Russian intelligence companies and passing on unspecified delicate info. He was arrested in August 2023.
“From Could 2023, he approached the Russian Consulate Normal in Bonn and the Russian Embassy in Berlin a number of occasions on his personal initiative and provided to cooperate,” the Workplace of the Federal Prosecutor mentioned. “On one event, he transmitted info that he had obtained in the middle of his skilled actions for forwarding to a Russian intelligence service.”