Skip to content Skip to footer

Russian-linked APT29 Group Behind WINELOADER Backdoor in Cyber Attacks

In recent cyber attacks, a named WINELOADER has been used to target diplomatic entities with wine-tasting phishing lures. This has been attributed to a hacking group with links to Russia's Foreign Intelligence Service (SVR), which was also responsible for breaching SolarWinds and . The group behind the attack has been identified as Midnight Blizzard, also known as APT29, BlueBravo, or Cozy Bear. The group used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) on February 26, 2024.

Mandiant, a firm, reported that this is the first time that APT29 has targeted political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. The researchers Luke Jenkins and Dan Black noted this as a significant shift in the group's tactics.

WINELOADER was initially disclosed by Zscaler ThreatLabz last month. It is part of a campaign that's believed to have been ongoing since at least July 2023. The campaign is attributed to a cluster dubbed SPIKEDWINE. Attack chains leverage phishing emails with German-language lure content that purports to be an invite for a dinner reception to trick recipients into clicking on a phony link and downloading a rogue HTML Application (HTA) file, a first-stage dropper called ROOTSAW (aka EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.

The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website. ROOTSAW delivered a second-stage CDU-themed lure document and a subsequent-stage WINELOADER payload. WINELOADER, invoked via DLL side-loading using the legitimate sqldumper.exe, is equipped to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts.

The malware shares similarities with known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a typical developer. In late January 2024, WINELOADER was employed in an operation targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru.

Furthermore, German prosecutors have charged a military officer named Thomas H with espionage offenses after he was caught spying on behalf of intelligence services and passing on unspecified sensitive information. He was arrested in August 2023. From May 2023, he approached the Consulate General in Bonn and the Embassy in Berlin several times on his initiative and offered to cooperate. On one occasion, he transmitted information he obtained during his professional activities to the intelligence services.

These developments highlight the continued efforts of intelligence services to collect foreign political intelligence. The first-stage malware's expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster. It reflects the SVR's interest in gleaning information from political parties and other aspects of civil society that could advance Moscow's geopolitical interests. Individuals and organizations must remain vigilant and take appropriate measures to safeguard their systems and networks against such attacks.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I don't like the idea that I’m not in control of my lifeNeo

Deitasoft © 2024. All Rights Reserved.