Fine wine is a cultural trait that Europeans are renowned for, but attackers behind a recent threat campaign have exploited this to their advantage. By luring European Union (EU) diplomats with a fake wine-tasting event, the cyber operation aimed to deliver a unique backdoor.
In a blog post published on February 27, researchers at Zscaler's ThreatLabz reported that they had found the campaign, which especially targeted officials from EU nations with diplomatic posts in India. The actor, dubbed "SpikedWine," used a PDF file in emails that pretended to be an invitation letter from India's embassy, inviting diplomats to a wine-tasting event on February 2.
"We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack," Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay explained in the post.
The campaign's payload is a backdoor known as "WineLoader," which has a modular design and uses tactics designed to avoid detection. These include re-encryption and zeroing out memory buffers, which serve to safeguard sensitive data in memory while evading memory forensics tools, the researchers stated.
SpikedWine employed compromised websites for command-and-control (C2) at different phases of the attack chain, which started with a victim clicking on a link in the PDF and ended with the modular distribution of WineLoader. Overall, the cyber attackers exhibited a high degree of expertise, both in the creative design of the socially engineered campaign and in the delivery of the malware.
Zscaler ThreatLabz found the PDF file, which was uploaded to VirusTotal from Latvia on January 30. The attackers meticulously built the contents to imitate India's ambassador, and the invitation contains a malicious link to a false questionnaire that must be completed in order to participate.
Clicking on the link takes users to a hacked site where they can download a zip archive containing a file named "wine.hta." The downloaded file contains obfuscated JavaScript code that triggers the next stage of the attack.
Eventually, the file runs sqlwriter.exe from the directory C:\Windows\Tasks\ to initiate the WineLoader backdoor infection chain by loading a malicious DLL called vcruntime140.dll. This, in turn, calls an exported method set_se_translator, which decrypts the embedded WineLoader core module within the DLL using a hardcoded 256-byte RC4 key before running it.
Protection and detection
Zscaler ThreatLabz warned contacts at India's National Informatics Centre (NIC) about the attack's usage of Indian official themes.
The C2 server used in the assault only replies to specific types of queries at specific times, therefore automated analysis systems cannot acquire C2 responses and modular payloads for detection and analysis, according to the researchers. To assist defenders, they offered a list of indicators of compromise (IoCs) and URLs related to the attack in their blog post.
A multilayered cloud security platform should detect IoCs linked to WineLoader at multiple levels, including any files containing the threat name Win64.Downloader.WineLoader, the researchers concluded.
