A recent cyber attack by the notorious Russian nation-state actor Midnight Blizzard has targeted European diplomats using a sophisticated phishing lure disguised as invitations to wine tasting events. The campaign, which has focused on Ministries of Foreign Affairs and embassies in multiple European countries, aims to infect victims with a new variant of the modular backdoor Wineloader.
According to researchers at Check Point, the attackers behind this campaign use emails with malicious links to deploy a newly discovered loader called Grapeloader. Once the Grapeloader is activated, it ultimately leads to the installation of the Wineloader backdoor, designed to collect sensitive information from compromised devices to aid in espionage operations. This information includes IP addresses, process names, Windows usernames, machine names, process IDs, and privilege levels.
Midnight Blizzard, also known as Cozy Bear and APT29, is an advanced persistent threat (APT) group associated with Russia’s foreign intelligence service (SVR). The group is known for its expertise in espionage and intelligence gathering activities targeting governments and critical industries. Previous campaigns by Midnight Blizzard have also targeted diplomats, using similar tactics to infiltrate their systems.
The phishing emails in this campaign impersonate specific individuals within the mimicked Ministries of Foreign Affairs, originating from domains like bakenhof.com and silry.com. The emails typically revolve around themes of wine-tasting events and contain malicious links that, when clicked, initiate the download of a file named wine.zip. In cases where the initial attempt is unsuccessful, additional waves of emails are sent to lure the victims into clicking the link.
Upon clicking the link, the wine.zip file runs three files, including a heavily obfuscated DLL named ppcore.dll, which acts as a loader known as Grapeloader. This malware establishes persistence on the infected device by modifying the Windows registry and ensures that the malicious payload (in this case, Wineloader) is executed every time the system reboots.
Grapeloader, a newly observed tool in this campaign, plays a crucial role in the initial stages of the attack by fingerprinting the environment, establishing persistence, and retrieving the next-stage payload. It employs various anti-analysis techniques to evade detection, such as string obfuscation and runtime API resolving.
The latest version of Wineloader deployed in this campaign has evolved from previous iterations, refining its techniques to include advanced stealth and evasion mechanisms. This new variant gathers information about the infected machine before sending it to a command and control server, complicating detection efforts and making it harder to identify and mitigate the attack.
The researchers concluded that the links between Grapeloader and Wineloader suggest that Wineloader is likely delivered in later stages of the attack. The evolving tactics and techniques used by Midnight Blizzard highlight the persistent threat posed by state-sponsored cyber espionage groups and the importance of robust cybersecurity measures to protect against such attacks.