Notorious Russian nation-state actor Midnight Blizzard has once again been identified targeting European diplomats with a sophisticated phishing campaign. The cyber espionage group, also known as Cozy Bear and APT29, is believed to be linked to Russia’s foreign intelligence service (SVR) and is known for its espionage and intelligence gathering operations against governments and critical industries.
The latest campaign by Midnight Blizzard involves luring diplomats from multiple European countries, especially Ministries of Foreign Affairs and embassies, with invitations to wine tasting events. Check Point researchers have discovered that the attackers are using phishing emails to distribute a newly discovered loader called Grapeloader, which ultimately infects victims with a new variant of the modular backdoor Wineloader. This backdoor is designed to gather sensitive information from compromised devices, including IP addresses, process names, Windows usernames, machine names, Process IDs, and privilege levels.
The Wineloader backdoor has been previously observed in Midnight Blizzard campaigns targeting diplomats, highlighting the group’s persistent efforts to gather intelligence through cyber means. The phishing emails impersonate specific individuals within the mimicked Ministry of Foreign Affairs and are sent from domains such as bakenhof[.]com and silry[.]com. The emails use themes of wine-tasting events to entice victims, with a malicious link that, when clicked, initiates the download of a file named wine.zip for further stages of the attack.
In cases where initial attempts fail, additional waves of emails are sent to persuade victims to click the malicious link. The server hosting the link is well-protected against scanning and automated analysis tools, ensuring that the malicious download is triggered only under specific conditions. Once the wine.zip archive is executed, Grapeloader is deployed as a loader, establishing persistence on the infected machine by modifying the Windows registry’s Run key.
Grapeloader plays a crucial role in the initial stages of the attack, fingerprinting the infected environment, establishing persistence, and retrieving the next-stage payload – Wineloader. The researchers have noted that Grapeloader employs various anti-analysis techniques, including string obfuscation, runtime API resolving, and DLL unhooking to evade detection and analysis.
The new version of Wineloader deployed in this campaign has evolved from previous iterations, incorporating refined techniques and enhanced stealth and evasion capabilities. It shares techniques with Grapeloader, such as string obfuscation, and employs additional anti-analysis techniques like code mutation, junk instruction insertion, and structural obfuscation. Wineloader collects information on the infected machine’s environment and sends this data to a command and control server, further complicating detection efforts.
The researchers have concluded that Wineloader is likely delivered in later stages of the attack, building on the groundwork laid by Grapeloader. As Midnight Blizzard continues its cyber espionage operations targeting European diplomats, organizations must remain vigilant and implement robust security measures to defend against sophisticated phishing campaigns and malware threats.