Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Russia-linked APT29 targeted German political parties with WINELOADER backdoor

Russia-linked threat actors employ the WINELOADER backdoor in recent attacks targeting German political parties. In late February, Mandiant researchers spotted the Russia-linked group APT29 using a new variant of the WINELOADER backdoor to target German political parties with a CDU-themed lure.   This is the first time Mandiant observed the APT29 subcluster targeting political parties, suggesting […]

APT28

Russia-linked threat actors employ the WINELOADER backdoor in recent attacks targeting German political parties.

In late February, Mandiant researchers spotted the Russia-linked group APT29 using a new variant of the WINELOADER backdoor to target German political parties with a CDU-themed lure.  

This is the first time Mandiant observed the APT29 subcluster targeting political parties, suggesting an emerging interest beyond the typical targeting of diplomatic missions.

Targeted entities received phishing emails disguised as invitations to a dinner reception on March 1, featuring the logo of the German political party Christian Democratic Union (CDU). The phishing emails, written in German, included a link that led to a malicious ZIP file hosted on a compromised website.
The ZIP file contained a ROOTSAW dropper that is used to deploy a second-stage lure document also themed around the CDU, along with a WINELOADER payload retrieved from “waterforvoiceless[.]org/util.php”.

The WINELOADER backdoor supports multiple features and functions that overlap with other malware in the APT29’s arsenal such as BURNTBATTER, MUSKYBEAT and BEATDROP, which suggests they are likely developed by the same professionals.

WINELOADER is launched using the DLL side loading into a legitimate Windows executable, then it starts to decrypt the main implant logic itself using RC4.

Researchers at Zscaler ThreatLabz first detected WINELOADER in February 2023, the security firm attributed the campaign to an APT dubbed SPIKEDWINE.

Zscaler warned that SPIKEDWINE was a previously unknown threat actor that had been observed targeting European officials. The cyberspies used a bait PDF document masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024.

The campaign is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed by the threat actors.

“Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)