The WINELOADER backdoor used in recent cyberattacks against diplomatic entities with wine tasting phishing lures has been attributed to the work of a hacking group with links to Russia’s Foreign Intelligence Service (SVR), which was responsible for the SolarWinds and Microsoft breach.
The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo or Cozy Bear) used malware to target German political parties with phishing emails bearing a Christian Democratic Union (CDU) logo ) around February 26, 2024.
“This is the first time we have seen this APT29 cluster targeting political parties, indicating a possible emerging operational focus area beyond the typical targeting of diplomatic missions,” researchers Luke Jenkins and Dan Black said.
WINELOADER was first revealed by Zscaler ThreatLabz last month as part of a cyber espionage campaign believed to have been ongoing since at least July 2023. It attributed the activity to a cluster called SPIKEDWINE.
The attack chains exploit phishing emails with German-language bait content purporting to be an invitation to a dinner reception to trick recipients into clicking on a fake link and downloading an unidentified HTML application (HTA) file. authorized, a first-stage dropper called ROOTSAW (also known as EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.
“The German-language bait document contains a phishing link that directs victims to a malicious ZIP file containing a ROOTSAW dropper hosted on a compromised actor-controlled website,” the researchers said. “ROOTSAW delivered a second-stage CDU-themed decoy document and a next-stage WINELOADER payload.”
WINELOADER, invoked via a technique called DLL sideloading using the legitimate sqldumper.exe, is equipped with the ability to contact an actor-controlled server and fetch additional modules for execution on compromised hosts.
It is said to share similarities with the APT29 malware families known as BURNTBATTER, MUSKYBEAT and BEATDROP, suggesting the work of a common developer.
WINELOADER, according to the Google Cloud subsidiary, was also deployed in an operation against diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia and Peru in late January 2024.
“ROOTSAW continues to be the central component of APT29’s initial access efforts to gather foreign political intelligence,” the company said.
“The extensive use of early-stage malware to target German political parties is a notable departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gathering intelligence from political parties and other aspects of the civil society that could advance Moscow’s action.” geopolitical interests”.
The development comes as German prosecutors charged a military officer, named Thomas H, with espionage offenses after he was allegedly caught spying for Russian intelligence and passing on unspecified sensitive information. He was arrested in August 2023.
“Since May 2023, he has approached the Russian Consulate General in Bonn and the Russian Embassy in Berlin several times on his own initiative and offered to cooperate,” the Federal Prosecutor’s Office said. “On one occasion, he passed on information that he had obtained in the course of his professional activity for forwarding to a Russian intelligence service.”