{"id":2625,"date":"2024-02-28T18:07:30","date_gmt":"2024-02-28T18:07:30","guid":{"rendered":"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/cyberattackers-lure-eu-diplomats-wine-tasting-offers"},"modified":"2024-02-28T18:07:30","modified_gmt":"2024-02-28T18:07:30","slug":"cyberattackers-lure-eu-diplomats-with-wine-tasting-offers","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/02\/28\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers\/","title":{"rendered":"Cyberattackers Lure EU Diplomats With Wine-Tasting Offers"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Europeans are known to enjoy fine wine, a cultural characteristic that’s been used against them by attackers behind a recent threat campaign. The cyber operation aimed to deliver a <\/span>novel backdoor<\/a><\/span> by luring European Union (EU) diplomats with a fake wine-tasting event.<\/span><\/p>\n

Researchers at Zscaler’s ThreatLabz discovered the campaign, which specifically targeted officials from EU countries with Indian diplomatic missions, they wrote <\/span>in a blog post<\/a><\/span> published Feb. 27. The actor \u2014 appropriately dubbed “SpikedWine” \u2014 used a PDF file in emails purporting to be an invitation letter from the ambassador of India, inviting diplomats to a wine-tasting event on Feb. 2.<\/span><\/p>\n

“We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack,” Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay wrote in the post.<\/span><\/p>\n

The campaign’s payload is a <\/span>backdoor<\/a><\/span> that researchers have called “WineLoader,” which has a modular design and employs techniques specifically to evade detection. Those include re-encryption and zeroing out memory buffers, which serve to guard sensitive data in memory and evade memory forensics solutions, the researchers noted.<\/span><\/p>\n

SpikedWine used compromised websites for command-and-control (C2) at multiple stages of the attack chain, which starts when a victim clicks on a link in the PDF and ends with the modular delivery of WineLoader. Overall, the cyberattackers showed a high level of sophistication both in the creative crafting of the socially engineered campaign and the malware, the researchers said.<\/span><\/p>\n

SpikedWine Uncorks Multiple Cyberattack Phases<\/h2>\n

Zscaler ThreatLabz discovered the PDF file \u2014 the invite to a purported wine-tasting at the Indian ambassador\u2019s residence \u2014 uploaded to VirusTotal from Latvia on Jan. 30. Attackers crafted the contents carefully to impersonate the ambassador of India, and the invitation includes a malicious link to a fake questionnaire under the premise that it must be filled out in order to participate.<\/span><\/p>\n

Clinking \u2014 err, clicking \u2014 on the link redirects users to a compromised site that proceeds to download a zip archive containing a file called “wine.hta.” The downloaded file contains obfuscated JavaScript code that executes the next stage of the attack.<\/span><\/p>\n

Eventually, the file executes a file named sqlwriter.exe from the path: C:\\Windows\\Tasks\\ to start the WineLoader backdoor infection chain by loading a malicious DLL named vcruntime140.dll. This in turn executes an exported function <\/span>set_se_translator<\/span><\/span>, which decrypts the embedded WineLoader core module within the DLL using a hardcoded 256-byte RC4 key before executing it.<\/span><\/p>\n

WineLoader: Modular, Persistent Backdoor Malware<\/h2>\n

WineLoader has several modules, each of which consists of configuration data, an RC4 key, and encrypted strings, followed by the module code. The modules observed by the researchers include a core module and a persistence module.<\/span><\/p>\n

The core module supports three commands: the execution of modules from the command-and-control server (C2) either synchronously or asynchronously; the injection of the backdoor into another DLL; and the updating of the sleep interval between beacon requests.<\/span><\/p>\n

The persistence module is aimed at allowing <\/span>the backdoor<\/a><\/span> to execute itself at certain intervals. It also offers an alternative configuration to establish registry persistence at another location on a targeted machine.<\/span><\/p>\n

Cyberttacker’s Evasive Tactics<\/h2>\n

WineLoader has a number of functions specifically aimed at evading detection, demonstrating a notable level of sophistication by SpikedWine, the researchers said. It encrypts the core module and subsequent modules downloaded from the C2 server, strings, and data sent and received from C2 \u2014 with a hardcoded 256-byte RC4 key.<\/span><\/p>\n

The malware also decrypts some strings on use that are then re-encrypted shortly after, the researchers said. And it includes memory buffers that store results from API calls, as well as replaces decrypted strings with zeroes after use.<\/span><\/p>\n

Another notable aspect of how SpikedWine operates is that the actor uses compromised network infrastructure at all stages of the attack chain. Specifically, the researchers identified three compromised websites used for hosting intermediate payloads or as C2 servers, they said.<\/span><\/p>\n

Protection & Detection (How to Avoid Red Wine Stains)<\/h2>\n

Zscaler ThreatLabz has notified contacts at the National Informatics Center (NIC) in India about the abuse of Indian government themes in the attack.<\/span><\/p>\n

As the C2 server used in the attack responds only to specific types of requests at certain times, automated analysis solutions cannot retrieve C2 responses and modular payloads for detection and analysis, the researchers said. To help defenders, they included a list of indicators of compromise (IoCs\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad) and URLs associated with the attack in their blog post.<\/span><\/p>\n

A multilayered <\/span>cloud security platform<\/a><\/span> should detect IoCs related to WineLoader at various levels, such as any files with the threat name, Win64.Downloader.WineLoader, the researchers noted.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Europeans are known to enjoy fine wine, a cultural characteristic<\/p>\n","protected":false},"author":12,"featured_media":2626,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2625","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?fit=1120%2C747&ssl=1",1120,747,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?fit=640%2C427&ssl=1",640,427,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?fit=640%2C427&ssl=1",640,427,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?fit=1120%2C747&ssl=1",1120,747,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?fit=1120%2C747&ssl=1",1120,747,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?fit=1024%2C683&ssl=1",1024,683,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/02\/cyberattackers-lure-eu-diplomats-with-wine-tasting-offers.png?fit=1120%2C747&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2625"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2625\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2626"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2625"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2625"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}