A beforehand undocumented risk actor dubbed SPIKEDWINE has been noticed focusing on officers in European international locations with Indian diplomatic missions utilizing a brand new backdoor known as WINELOADER.
The adversary, in line with a report from Zscaler ThreatLabz, used a PDF file in emails that purported to return from the Ambassador of India, inviting diplomatic workers to a wine-tasting occasion on February 2, 2024.
The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That stated, there may be proof to recommend that this marketing campaign could have been lively no less than since July 6, 2023, going by the invention of another similar PDF file uploaded from the identical nation.
“The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure,” safety researchers Sudeep Singh and Roy Tay stated.
Central to the novel assault is the PDF file that comes embedded with a malicious hyperlink that masquerades as a questionnaire, urging the recipients to fill it out with a view to take part. Clicking on the hyperlink paves the best way for an HTML utility (“wine.hta”) that incorporates obfuscated JavaScript code to retrieve an encoded ZIP archive bearing WINELOADER from the identical area.
The malware is full of a core module that is designed to Execute modules from the C2 server, inject itself into one other dynamic-link library (DLL), and replace the sleep interval between beacon requests.
A notable facet of the cyber incursions is the usage of compromised web sites for C2 and internet hosting intermediate payloads. It is suspected that the “C2 server only responds to specific types of requests at certain times,” thereby making the assaults extra evasive.
“The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions,” the researchers stated.
Author: information@thehackernews.com (The Hacker Information)
Date: 2024-02-29 03:19:00