Europeans are known to appreciate good wine, a cultural trait that has been used against them by attackers behind a recent threat campaign. The cyber operation aimed to provide a new backdoor luring European Union (EU) diplomats with a fake wine tasting event.
Researchers at Zscaler’s ThreatLabz uncovered the campaign, which specifically targeted officials from EU countries with Indian diplomatic missions, they wrote in a blog post published on February 27. The actor – aptly nicknamed “SpikedWine” – used a PDF file in emails purporting to be an invitation letter from the ambassador of India, inviting diplomats to a wine tasting event on February 2.
“We believe this attack was conducted by a nation-state, interested in exploiting geopolitical relationships between India and diplomats in European nations,” Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay wrote in the post.
The campaign payload is a back door which the researchers called “WineLoader,” which has a modular design and employs specific techniques to evade detection. These include re-encrypting and clearing memory buffers, which serve to protect sensitive data in memory and evade memory forensics, the researchers noted.
SpikedWine used compromised websites for command and control (C2) at multiple stages of the attack chain, starting when a victim clicks on a link in the PDF and ending with WineLoader’s modular delivery. Overall, the cyber attackers displayed a high level of sophistication in both the creative creation of the social engineering campaign and the malware, the researchers said.
SpikedWine uncorks multiple stages of cyber attack
Zscaler ThreatLabz discovered the PDF file – the invitation to a purported wine tasting at the Indian ambassador’s residence – uploaded to VirusTotal from Latvia on January 30. The attackers carefully crafted the content to impersonate the Indian ambassador, and the invitation includes a malicious link to a fake questionnaire under the premise that it must be filled out in order to participate.
A jingle (er, click) on the link redirects users to a compromised site which proceeds to download a zip archive containing a file called “wine.hta”. The downloaded file contains obfuscated JavaScript code that executes the next stage of the attack.
Eventually, the file executes a file named sqlwriter.exe from the path: C:\Windows\Tasks\ to start the WineLoader backdoor infection chain by loading a malicious DLL named vcruntime140.dll. This in turn executes an exported function set_se_translatorwhich decrypts the main WineLoader module embedded in the DLL using an encrypted 256-byte RC4 key before executing it.
WineLoader: Modular and persistent backdoor malware
WineLoader has several modules, each of which consists of configuration data, an RC4 key, and encrypted strings, followed by the module code. The modules observed by the researchers include a core module and a persistence module.
The core module supports three commands: running modules from the command and control server (C2) synchronously or asynchronously; placing the backdoor in another DLL; and updating the sleep interval between beacon requests.
The persistence module is intended to enable the back door to be performed at certain intervals. It also offers an alternative configuration to establish registry persistence in another location on a targeted machine.
The cyberattacker’s evasive tactics
WineLoader has a number of features specifically aimed at evading detection, demonstrating a notable level of sophistication on the part of SpikedWine, the researchers said. It encrypts the main form and subsequent forms downloaded from the C2 server, the strings and data sent and received by C2, with an encrypted 256-byte RC4 key.
The malware also decodes some strings during use which are then re-encrypted shortly afterwards, the researchers said. It also includes memory buffers that store the results of API calls and replaces decrypted strings with zeros after use.
Another noteworthy aspect of how SpikedWine works is that the perpetrator uses the compromised network infrastructure at all stages of the attack chain. Specifically, researchers identified three compromised websites used to host intermediate payloads or as C2 servers.
Protection and detection (how to avoid red wine stains)
Zscaler ThreatLabz notified contacts at the National Informatics Center (NIC) in India about the misuse of Indian government themes in the attack.
Because the C2 server used in the attack only responds to specific types of requests at certain times, automated analysis solutions cannot recover C2 responses and modular payloads for detection and analysis, the researchers said. To help defenders, they included a list of indicators of compromise (IoC) and URLs associated with the attack in their blog post.
A multilayer cloud security platform should detect WineLoader-related IoCs to varying degrees, like any file with the threat name Win64.Downloader.WineLoader, the researchers noted.