Europeans are known to enjoy fine wine, a cultural characteristic that’s been used against them by attackers behind a recent threat campaign. The cyber operation aimed to deliver a novel backdoor by luring European Union (EU) diplomats with a fake wine-tasting event.
Researchers at Zscaler’s ThreatLabz discovered the campaign, which specifically targeted officials from EU countries with Indian diplomatic missions, they wrote in a blog post published Feb. 27. The actor — appropriately dubbed “SpikedWine” — used a PDF file in emails purporting to be an invitation letter from the ambassador of India, inviting diplomats to a wine-tasting event on Feb. 2.
“We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack,” Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay wrote in the post.
The campaign’s payload is a backdoor that researchers have called “WineLoader,” which has a modular design and employs techniques specifically to evade detection. Those include re-encryption and zeroing out memory buffers, which serve to guard sensitive data in memory and evade memory forensics solutions, the researchers noted.
SpikedWine used compromised websites for command-and-control (C2) at multiple stages of the attack chain, which starts when a victim clicks on a link in the PDF and ends with the modular delivery of WineLoader. Overall, the cyberattackers showed a high level of sophistication both in the creative crafting of the socially engineered campaign and the malware, the researchers said.
SpikedWine Uncorks Multiple Cyberattack Phases
Zscaler ThreatLabz discovered the PDF file — the invite to a purported wine-tasting at the Indian ambassador’s residence — uploaded to VirusTotal from Latvia on Jan. 30. Attackers crafted the contents carefully to impersonate the ambassador of India, and the invitation includes a malicious link to a fake questionnaire under the premise that it must be filled out in order to participate.
Clinking — err, clicking — on the link redirects users to a compromised site that proceeds to download a zip archive containing a file called “wine.hta.” The downloaded file contains obfuscated JavaScript code that executes the next stage of the attack.
Eventually, the file executes a file named sqlwriter.exe from the path: C:WindowsTasks to start the WineLoader backdoor infection chain by loading a malicious DLL named vcruntime140.dll. This in turn executes an exported function set_se_translator, which decrypts the embedded WineLoader core module within the DLL using a hardcoded 256-byte RC4 key before executing it.
WineLoader: Modular, Persistent Backdoor Malware
WineLoader has several modules, each of which consists of configuration data, an RC4 key, and encrypted strings, followed by the module code. The modules observed by the researchers include a core module and a persistence module.
The core module supports three commands: the execution of modules from the command-and-control server (C2) either synchronously or asynchronously; the injection of the backdoor into another DLL; and the updating of the sleep interval between beacon requests.
The persistence module is aimed at allowing the backdoor to execute itself at certain intervals. It also offers an alternative configuration to establish registry persistence at another location on a targeted machine.
Cyberttacker’s Evasive Tactics
WineLoader has a number of functions specifically aimed at evading detection, demonstrating a notable level of sophistication by SpikedWine, the researchers said. It encrypts the core module and subsequent modules downloaded from the C2 server, strings, and data sent and received from C2 — with a hardcoded 256-byte RC4 key.
The malware also decrypts some strings on use that are then re-encrypted shortly after, the researchers said. And it includes memory buffers that store results from API calls, as well as replaces decrypted strings with zeroes after use.
Another notable aspect of how SpikedWine operates is that the actor uses compromised network infrastructure at all stages of the attack chain. Specifically, the researchers identified three compromised websites used for hosting intermediate payloads or as C2 servers, they said.
Protection & Detection (How to Avoid Red Wine Stains)
Zscaler ThreatLabz has notified contacts at the National Informatics Center (NIC) in India about the abuse of Indian government themes in the attack.
As the C2 server used in the attack responds only to specific types of requests at certain times, automated analysis solutions cannot retrieve C2 responses and modular payloads for detection and analysis, the researchers said. To help defenders, they included a list of indicators of compromise (IoCs) and URLs associated with the attack in their blog post.
A multilayered cloud security platform should detect IoCs related to WineLoader at various levels, such as any files with the threat name, Win64.Downloader.WineLoader, the researchers noted.