Pierluigi Paganini March 23, 2024

Russia-linked threat actors employ the WINELOADER backdoor in recent attacks targeting German political parties.

In late February, Mandiant researchers spotted the Russia-linked group APT29 using a new variant of the WINELOADER backdoor to target German political parties with a CDU-themed lure.  

This is the first time Mandiant observed the APT29 subcluster targeting political parties, suggesting an emerging interest beyond the typical targeting of diplomatic missions.

Targeted entities received phishing emails disguised as invitations to a dinner reception on March 1, featuring the logo of the German political party Christian Democratic Union (CDU). The phishing emails, written in German, included a link that led to a malicious ZIP file hosted on a compromised website.
The ZIP file contained a ROOTSAW dropper that is used to deploy a second-stage lure document also themed around the CDU, along with a WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”.

The WINELOADER backdoor supports multiple features and functions that overlap with other malware in the APT29’s arsenal such as BURNTBATTER, MUSKYBEAT and BEATDROP, which suggests they are likely developed by the same professionals.

WINELOADER is launched using the DLL side loading into a legitimate Windows executable, then it starts to decrypt the main implant logic itself using RC4.

Researchers at Zscaler ThreatLabz first detected WINELOADER in February 2023, the security firm attributed the campaign to an APT dubbed SPIKEDWINE.

Zscaler warned that SPIKEDWINE was a previously unknown threat actor that had been observed targeting European officials. The cyberspies used a bait PDF document masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024.

The campaign is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed by the threat actors.

“Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)