BleepingComputer reports that Russian state-backed threat group Midnight Blizzard, also known as APT29 or Cozy Bear, has targeted embassies and other diplomatic organizations across Europe with the novel GrapeLoader malware loader and updated WineLoader backdoor variant as part of a spear-phishing campaign that began in January.
Attacks commenced with the distribution of fraudulent Ministry of Foreign Affairs emails purporting to be a wine-tasting event invitation with a link that downloads a ZIP archive containing the GrapeLoader payload alongside a legitimate PowerPoint executable and an accompanying DLL file, an analysis from Check Point Research showed. Aside from conducting reconnaissance, GrapeLoader which is believed to have replaced the RootSaw loader also launches a new version of the modular WineLoader backdoor, which not only collects extensive host details for cyberespionage but also evades detection through junk instructions, export table discrepancies, and RVA duplication. "Previously, automated tools like FLOSS could easily extract and deobfuscate strings from an unpacked WINELOADER sample. The improved implementation in the new variant disrupts this process, making automated string extraction and deobfuscation fail," said the report.
Attacks commenced with the distribution of fraudulent Ministry of Foreign Affairs emails purporting to be a wine-tasting event invitation with a link that downloads a ZIP archive containing the GrapeLoader payload alongside a legitimate PowerPoint executable and an accompanying DLL file, an analysis from Check Point Research showed. Aside from conducting reconnaissance, GrapeLoader which is believed to have replaced the RootSaw loader also launches a new version of the modular WineLoader backdoor, which not only collects extensive host details for cyberespionage but also evades detection through junk instructions, export table discrepancies, and RVA duplication. "Previously, automated tools like FLOSS could easily extract and deobfuscate strings from an unpacked WINELOADER sample. The improved implementation in the new variant disrupts this process, making automated string extraction and deobfuscation fail," said the report.
