Home Hacker New Backdoor Focusing on European Officers Linked to Indian Diplomatic Occasions

New Backdoor Focusing on European Officers Linked to Indian Diplomatic Occasions

0
New Backdoor Focusing on European Officers Linked to Indian Diplomatic Occasions

Feb 29, 2024NewsroomCyber Espionage / Malware

Backdoor

A beforehand undocumented risk actor dubbed SPIKEDWINE has been noticed focusing on officers in European international locations with Indian diplomatic missions utilizing a brand new backdoor known as WINELOADER.

The adversary, in line with a report from Zscaler ThreatLabz, used a PDF file in emails that purported to return from the Ambassador of India, inviting diplomatic workers to a wine-tasting occasion on February 2, 2024.

Cybersecurity

The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That stated, there may be proof to recommend that this marketing campaign could have been lively no less than since July 6, 2023, going by the invention of another similar PDF file uploaded from the identical nation.

“The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure,” safety researchers Sudeep Singh and Roy Tay stated.

Backdoor

Central to the novel assault is the PDF file that comes embedded with a malicious hyperlink that masquerades as a questionnaire, urging the recipients to fill it out with a view to take part. Clicking on the hyperlink paves the best way for an HTML utility (“wine.hta”) that incorporates obfuscated JavaScript code to retrieve an encoded ZIP archive bearing WINELOADER from the identical area.

The malware is full of a core module that is designed to Execute modules from the C2 server, inject itself into one other dynamic-link library (DLL), and replace the sleep interval between beacon requests.

Cybersecurity

A notable facet of the cyber incursions is the usage of compromised web sites for C2 and internet hosting intermediate payloads. It is suspected that the “C2 server only responds to specific types of requests at certain times,” thereby making the assaults extra evasive.

“The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions,” the researchers stated.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.


Author: information@thehackernews.com (The Hacker Information)
Date: 2024-02-29 03:19:00

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here