Threat actors have been utilizing weaponized PDF files as a means of initiating initial infections, taking advantage of vulnerabilities in PDF readers and tricking users into activating malicious payloads. The popularity and trustworthiness of PDF files have made them a prime target for cybercriminals looking to propagate malware and kickstart the infection chain.
Researchers at Zscaler’s ThreatLabz have identified a new backdoor known as ‘WINELOADER’ being used by hackers in targeted attacks against Indian-European diplomatic relations. This advanced threat actor group, dubbed SPIKEDWINE by analysts due to wine-themed elements in their attack chain, executed a sophisticated low-volume attack aimed at compromising sensitive information.
The attack begins with a weaponized PDF disguised as an invitation to a wine event at the Indian ambassador’s residence on February 2, 2024, using official language to deceive recipients. The PDF contains a link to a fake survey, which serves as the entry point for the infection process, leading victims to a compromised site at hxxps://seeceafcleaners[.]co[.]uk/wine.php. The metadata of the PDF reveals that it was created using LibreOffice 6.4 on January 29, 2024, at 10:38 AM UTC.
Once the victim interacts with the malicious PDF, an HTA file is executed, running obscured JavaScript to initiate the next stage of the attack. The HTA file contains decoy content mirroring the fake wine event details, while also performing key functions such as downloading a Base64 encoded text file from a specific URL, decoding and saving it to the system, and executing a rogue vcruntime140.dll to decrypt the WINELOADER payload.
WINELOADER employs advanced encryption techniques to protect its core modules, strings, and command and control (C2) data, dynamically decrypting and re-encrypting certain strings as needed. Through DLL hollowing, WINELOADER is injected into a randomly selected Windows DLL, using SECFORCE’s method with added randomization to avoid detection. The payload is designed to evade injection into specific critical system DLLs in order to maintain stealth.
After successful injection, WINELOADER establishes communication with the C2 server by sending encrypted HTTP GET requests, encrypted using a 256-byte RC4 key. The malware is equipped with commands for module execution, DLL injection, and beacon interval updates, ensuring persistent access to compromised systems. The C2 server selectively responds to prevent automated analysis, emphasizing the threat actor’s interest in maintaining stealth and exploiting Indo-European relations.
In conclusion, the attack involving weaponized PDF files highlights the evolving sophistication of cyber threats targeting diplomatic entities. Organizations are advised to implement robust security measures to protect against malware infections and maintain vigilance against emerging threat actors like SPIKEDWINE. Stay updated on Cybersecurity news to stay ahead of evolving cyber threats.