Researchers warn that a cyberespionage group linked to Russia’s foreign intelligence service, the SVR, has recently launched a spear-phishing campaign targeting one of Germany’s major political parties. This is a departure from the group’s typical targeting of government agencies and foreign diplomatic missions and could expand to other countries beyond Germany.
According to an analysis by incident response firm Mandiant, the phishing attacks impersonated Germany’s Christian Democratic Union (CDU) party and invited recipients to a dinner reception. A malicious link in the email directed users to a malware dropper that eventually deployed a new variant of a backdoor program recently added to APT29’s arsenal.
“As highlighted in our previous research detailing APT29’s operations in the first-half of 2023, these malware delivery operations are highly adaptive, and continue to evolve in lockstep with Russia’s geopolitical realities,” researchers from incident response firm Mandiant said in a new report. “We therefore suspect that APT29’s interest in these organizations is unlikely to be limited to Germany. Western political parties and their associated bodies from across the political spectrum are likely also possible targets for future SVR-linked cyber-espionage activity given Moscow’s vital interest in understanding changing Western political dynamics related to Ukraine and other flashpoint foreign policy issues.”
From ROOTSAW malware dropper to WINELOADER backdoor
The malicious links prompt users to download a .zip archive that contains a malware dropper, which Mandiant calls ROOTSAW, that has been part of APT29’s toolkit since at least 2021. This dropper, also known in the industry as EnvyScout, contains obfuscated JavaScript code that reaches out to an attacker-controlled domain and downloads a file called invite.txt that is actually an encrypted archive.
This file is first decrypted using the Windows certutil utility and is then decompressed with tar. The archive contains a new backdoor variant that Mandiant named WINELOADER, which is sideloaded with the legitimate Microsoft SqlDumper.exe that’s part of SQL Server.
WINELOADER was analyzed for the first time in February by researchers from security company Zscaler who found it after analyzing a PDF uploaded to VirusTotal from Latvia. The PDF masqueraded as a letter from the Ambassador of India inviting diplomats to a wine-tasting event in February 2024, a lure that’s similar to the new one impersonating the German CDU party. In fact, the whole infection chain is very similar to what Mandiant observed and the new attack also drops a decoy PDF with the rogue CDU invitation.
Similarities with older APT29 backdoors
While Zscaler did not link the January attack to any APT group, the researchers believed at the time it was the work of a nation-state threat actor looking to exploit diplomatic relations, which is typical of APT29 targeting. Going further, Mandiant has not established clear similarities in design and code to two older backdoors tracked as BURNTBATTER and MUSKYBEAT that are only associated with APT29.
“However, the code family itself is considerably more customized than the previous variants, as it no longer uses publicly available loaders like DONUT or DAVESHELL and implements a unique C2 mechanism,” the researchers said in their analysis. “Additionally, WINELOADER contains the following shared techniques with other code families used by APT29: The RC4 algorithm used to decrypt the next stage payload; process/DLL name check to validate the payload context (in use since early BEATDROP variants) and Ntdll usermode hook bypass (in use since early BEATDROP variants).”
WINELOADER is executed using DLL sideloading techniques into a legitimate Windows executable, which is meant to make detection harder. It then proceeds to decrypt a portion of code using the RC4 cipher. The backdoor is modular, and this code represents the main module which also includes configuration data and the part that communicates with the command-and-control (C2) server.
The malware connects to the server using HTTP with a custom user agent and registration packets inside the requests. The attackers can issue instructions to load additional modules or to establish persistence on the system if they consider the system important enough.
The Mandiant report includes MITRE ATTACK Framework TTPs as well as custom detection rules based on indicators of compromise.