The WINELOADER backdoor used in recent cyberattacks against diplomatic entities is believed to be the work of a hacker group linked to Russia’s Foreign Intelligence Service (SVR), which is responsible for the SolarWinds and Microsoft intrusions.
The findings come from Mandiant, which said Midnight Blizzard (also known as APT29, BlueBravo or Cozy Bear) used the malware around February 26, 2024 to target German political parties by sending phishing emails bearing the Christian Democratic Union (CDU) logo. .
Researchers Luke Jenkins and Dan Black said: “This is the first time we have seen an APT29 cluster targeting political parties, suggesting that in addition to the typical diplomatic corps targets, there may be an emerging Priority areas for action.”
Zscaler ThreatLabz first disclosed WINELOADER last month as part of a cyber espionage campaign believed to have been ongoing since at least July 2023. The activity is attributed to a cluster called SPIKEDWINE.
The attack chain utilizes phishing emails with German-language bait content purporting to be an invitation to a dinner reception, tricking recipients into clicking on a fake link and downloading a rogue HTML application (HTA) file called ROOTSAW. Also known as ROOTSAW), the first stage implant. EvyScout) Acts as a conduit for delivering WINELOADER from a remote server.
“The German-language lure file contains a phishing link that directs victims to a malicious ZIP file containing the ROOTSAW implant hosted on a compromised website controlled by the attackers,” the researchers said. “ROOTSAW delivered the second stage CDU-themed decoy document and next stage WINELOADER payload.”
WINELOADER is called through a DLL sideloading technique using the legitimate sqldumper.exe, which has the ability to contact an attacker-controlled server and obtain additional modules for execution on the compromised host.
It is said to have similarities to known APT29 malware families such as BURNTBATTER, MUSKYBEAT and BEATDROP, suggesting it is the work of an ordinary developer.
WINELOADER was also used in late January 2024 in operations targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru, according to the Google Cloud subsidiary.
“ROOTSAW remains a core component of APT29’s initial access efforts to gather foreign political intelligence,” the company said.
“The expanded use of the first-stage malware against German political parties represents a clear departure from the typical diplomatic focus of this APT29 subcluster and almost certainly reflects SVR’s interest in gathering information from political parties and other aspects of civil society, which The message could further Moscow’s development geopolitical interests.”
The development comes as German prosecutors charged an officer named Thomas H with espionage for allegedly spying on behalf of Russian intelligence and passing unspecified sensitive information. He was arrested in August 2023.
“Since May 2023, he proactively contacted the Russian Consulate General in Bonn and the Russian Embassy in Berlin on several occasions and expressed his willingness to cooperate,” the federal prosecutor’s office said. “On one occasion, he forwarded information obtained during professional activities Forwarded to Russian intelligence services.”
