The team logo
Daily Brief Changelog
v0.7

Article Details

Scrape Timestamp (UTC): 2024-02-29 08:23:35.694

Source: https://thehackernews.com/2024/02/new-backdoor-targeting-european.html

Original Article Text

Click to Toggle View

New Backdoor Targeting European Officials Linked to Indian Diplomatic Events. A previously undocumented threat actor dubbed SPIKEDWINE has been observed targeting officials in European countries with Indian diplomatic missions using a new backdoor called WINELOADER. The adversary, according to a report from Zscaler ThreatLabz, used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024. The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That said, there is evidence to suggest that this campaign may have been active at least since July 6, 2023, going by the discovery of another similar PDF file uploaded from the same country. "The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure," security researchers Sudeep Singh and Roy Tay said. Central to the novel attack is the PDF file that comes embedded with a malicious link that masquerades as a questionnaire, urging the recipients to fill it out in order to participate. Clicking on the link paves the way for an HTML application ("wine.hta") that contains obfuscated JavaScript code to retrieve an encoded ZIP archive bearing WINELOADER from the same domain. The malware is packed with a core module that's designed to Execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests. A notable aspect of the cyber incursions is the use of compromised websites for C2 and hosting intermediate payloads. It's suspected that the "C2 server only responds to specific types of requests at certain times," thereby making the attacks more evasive. "The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions," the researchers said. ⚡ Free Risk Assessment from Vanta Generate a gap assessment of your security and compliance posture, discover shadow IT, and more.

Daily Brief Summary

NATION STATE ACTIVITY // Sophisticated Cyberespionage on European Officials Via Wine-Tasting Invite

An unknown cyberespionage group, SPIKEDWINE, has targeted European officials connected to Indian diplomatic events using a new backdoor, WINELOADER.

The attack was executed through a deceptive PDF email attachment purporting to be from the Ambassador of India, inviting recipients to a wine tasting.

The PDF document, containing a malicious link, was first uploaded to VirusTotal from Latvia, suggesting espionage activity as early as July 2023.

The link directs users to download an HTML application filled with obfuscated JavaScript designed to fetch the WINELOADER malware.

WINELOADER comes equipped with capabilities for executing additional malicious modules, DLL injection, and command-and-control communication adjustments to avoid detection.

Researchers noted the attack's low volume and high sophistication, highlighting features that dodge memory forensics and URL scanning solutions.

The operation also used compromised websites for command-and-control and as repositories for intermediary payloads, indicating a well-orchestrated stealth campaign.