WINELOADER Backdoor

Cyber attacks deploying the WINELOADER backdoor are believed to be set up by a hacking group with ties to Russia's Foreign Intelligence Service (SVR). This group, known as Midnight Blizzard (also referred to as APT29, BlueBravo, or Cozy Bear), gained notoriety for their involvement in breaches such as SolarWinds and Microsoft. The backdoor has been previously used in attacks targeting diplomatic entities through wine-tasting phishing lures.

Researchers have uncovered evidence suggesting that Midnight Blizzard utilized this malware to target German political parties in late February 2024, employing phishing emails adorned with the logo of the Christian Democratic Union (CDU). This marks the first instance where APT29 has been observed targeting political parties specifically, suggesting a potential shift in their operational focus away from traditional diplomatic missions.

The WINELOADER Backdoor Infects Victims via Multi-stage Attack Chain

In February 2024, researchers disclosed the existence of WINELOADER as part of an ongoing cyber espionage campaign believed to have commenced in July 2023. This activity has been attributed to a cluster known as SPIKEDWINE.

The attack strategy involves phishing emails containing German-language content designed to lure recipients with the promise of a dinner reception invitation. These emails aim to trick recipients into clicking on a deceptive link, leading to the download of a rogue HTML Application (HTA) file named ROOTSAW (also known as EnvyScout). ROOTSAW serves as an initial dropper, facilitating the delivery of WINELOADER from a remote server.

The German-language lure document within the phishing emails directs victims to a malicious ZIP file hosted on a compromised website controlled by the actors. This ZIP file contains the ROOTSAW dropper. Upon execution, ROOTSAW delivers a second-stage lure document themed around the Christian Democratic Union (CDU) and subsequently deploys the WINELOADER payload.

WINELOADER, utilizing DLL side-loading through the legitimate sqldumper.exe, possesses capabilities to establish communication with a server controlled by the threat actors, enabling the retrieval and execution of additional modules on compromised hosts.

Analysis reveals similarities between WINELOADER and other malware families associated with APT29, such as BURNTBATTER, MUSKYBEAT, and BEATDROP, hinting at a shared developer or development methodology. Furthermore, WINELOADER has been identified in an operation targeting diplomatic entities across various countries, including the Czech Republic, Germany, India, Italy, Latvia, and Peru, in late January 2024.

APT29 May Be Expanding Its Scope to Include New Targets

ROOTSAW remains a critical component in APT29's initial infiltration strategies aimed at gathering foreign political intelligence. The utilization of this first-stage malware to target German political parties marks a notable departure from the typical diplomatic targets associated with this APT29 subcluster. This shift undoubtedly reflects the SVR's keen interest in acquiring information from political parties and other facets of civil society that could bolster Moscow's geopolitical objectives.

This development coincides with legal action taken in Germany, where prosecutors have filed espionage charges against a military officer named Thomas H. He stands accused of espionage activities allegedly conducted on behalf of Russian intelligence services involving the transmission of unspecified sensitive information. Thomas H. was apprehended in August 2023.