Europeans are known to enjoy fine wine, a cultural characteristic that’s been used against them by attackers behind a recent threat campaign. The cyber operation aimed to deliver a novel backdoor by luring European Union (EU) diplomats with a fake wine-tasting event.
Researchers at Zscaler’s ThreatLabz discovered the campaign, which specifically targeted officials from EU countries with Indian diplomatic missions, they wrote در یک پست وبلاگ published Feb. 27. The actor — appropriately dubbed “SpikedWine” — used a PDF file in emails purporting to be an invitation letter from the ambassador of India, inviting diplomats to a wine-tasting event on Feb. 2.
“We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack,” Zscaler ThreatLabz researchers Sudeep Singh and Roy Tay wrote in the post.
The campaign’s payload is a درپشتی that researchers have called “WineLoader,” which has a modular design and employs techniques specifically to evade detection. Those include re-encryption and zeroing out memory buffers, which serve to guard sensitive data in memory and evade memory forensics solutions, the researchers noted.
SpikedWine used compromised websites for command-and-control (C2) at multiple stages of the attack chain, which starts when a victim clicks on a link in the PDF and ends with the modular delivery of WineLoader. Overall, the cyberattackers showed a high level of sophistication both in the creative crafting of the socially engineered campaign and the malware, the researchers said.
SpikedWine Uncorks Multiple Cyberattack Phases
Zscaler ThreatLabz discovered the PDF file — the invite to a purported wine-tasting at the Indian ambassador’s residence — uploaded to VirusTotal from Latvia on Jan. 30. Attackers crafted the contents carefully to impersonate the ambassador of India, and the invitation includes a malicious link to a fake questionnaire under the premise that it must be filled out in order to participate.
Clinking — err, clicking — on the link redirects users to a compromised site that proceeds to download a zip archive containing a file called “wine.hta.” The downloaded file contains obfuscated JavaScript code that executes the next stage of the attack.
Eventually, the file executes a file named sqlwriter.exe from the path: C:WindowsTasks to start the WineLoader backdoor infection chain by loading a malicious DLL named vcruntime140.dll. This in turn executes an exported function set_se_translator, which decrypts the embedded WineLoader core module within the DLL using a hardcoded 256-byte RC4 key before executing it.
WineLoader: Modular, Persistent Backdoor Malware
WineLoader has several modules, each of which consists of configuration data, an RC4 key, and encrypted strings, followed by the module code. The modules observed by the researchers include a core module and a persistence module.
The core module supports three commands: the execution of modules from the command-and-control server (C2) either synchronously or asynchronously; the injection of the backdoor into another DLL; and the updating of the sleep interval between beacon requests.
The persistence module is aimed at allowing the backdoor to execute itself at certain intervals. It also offers an alternative configuration to establish registry persistence at another location on a targeted machine.
Cyberttacker’s Evasive Tactics
WineLoader has a number of functions specifically aimed at evading detection, demonstrating a notable level of sophistication by SpikedWine, the researchers said. It encrypts the core module and subsequent modules downloaded from the C2 server, strings, and data sent and received from C2 — with a hardcoded 256-byte RC4 key.
The malware also decrypts some strings on use that are then re-encrypted shortly after, the researchers said. And it includes memory buffers that store results from API calls, as well as replaces decrypted strings with zeroes after use.
Another notable aspect of how SpikedWine operates is that the actor uses compromised network infrastructure at all stages of the attack chain. Specifically, the researchers identified three compromised websites used for hosting intermediate payloads or as C2 servers, they said.
Protection & Detection (How to Avoid Red Wine Stains)
Zscaler ThreatLabz has notified contacts at the National Informatics Center (NIC) in India about the abuse of Indian government themes in the attack.
As the C2 server used in the attack responds only to specific types of requests at certain times, automated analysis solutions cannot retrieve C2 responses and modular payloads for detection and analysis, the researchers said. To help defenders, they included a list of indicators of compromise (IoCs) and URLs associated with the attack in their blog post.
A multilayered cloud security platform should detect IoCs related to WineLoader at various levels, such as any files with the threat name, Win64.Downloader.WineLoader, the researchers noted.
- محتوای مبتنی بر SEO و توزیع روابط عمومی. امروز تقویت شوید.
- PlatoData.Network Vertical Generative Ai. به خودت قدرت بده دسترسی به اینجا.
- PlatoAiStream. هوش وب 3 دانش تقویت شده دسترسی به اینجا.
- PlatoESG. کربن ، CleanTech، انرژی، محیط، خورشیدی، مدیریت پسماند دسترسی به اینجا.
- PlatoHealth. هوش بیوتکنولوژی و آزمایشات بالینی. دسترسی به اینجا.
- منبع: https://www.darkreading.com/cyberattacks-data-breaches/cyberattackers-lure-eu-diplomats-wine-tasting-offers
- : دارد
- :است
- 27
- 30
- 7
- a
- درباره ما
- سو استفاده کردن
- پس از
- در برابر
- هدف
- معرفی
- اجازه دادن
- همچنین
- جایگزین
- سفیر
- an
- تحلیل
- و
- دیگر
- هر
- API
- به درستی
- بایگانی
- هستند
- AS
- ظاهر
- مرتبط است
- At
- حمله
- خودکار
- اجتناب از
- درپشتی
- BE
- چراغ
- بوده
- قبل از
- پشت سر
- باور
- میان
- بلاگ
- هر دو
- by
- نام
- تماس ها
- کمپین بین المللی حقوق بشر
- نمی توان
- Осторожно
- انجام
- مرکز
- معین
- زنجیر
- مشخصه
- رمز
- سازش
- در معرض خطر
- پیکر بندی
- تشکیل شده است
- اطلاعات تماس
- شامل
- محتویات
- هسته
- کشور
- طراحی شده
- خالق
- فرهنگی
- سایبر
- حمله سایبری
- داده ها
- مدافعان
- ارائه
- تحویل
- نشان دادن
- طرح
- تشخیص
- کشف
- دیپلمات
- کشف
- دانلود
- دوبله شده
- هر
- هر دو
- ایمیل
- جاسازی شده
- کار می کند
- رمزگذاری
- به پایان می رسد
- مهندسی
- لذت بردن
- ایجاد
- EU
- اروپایی
- اتحادیه اروپا
- اتحادیه اروپا (اتحادیه اروپا)
- فرار کردن
- واقعه
- اجرا کردن
- اجرا می کند
- اجرا کردن
- اعدام
- بهره برداری از
- جعلی
- فوریه
- پرونده
- فایل ها
- پر شده
- پایان
- به دنبال
- برای
- پزشکی قانونی
- از جانب
- تابع
- توابع
- جغرافیای سیاسی
- دولت
- گارد
- آیا
- کمک
- زیاد
- میزبانی وب
- چگونه
- چگونه
- HTTPS
- شناسایی
- جعل هویت
- in
- شامل
- مشمول
- شامل
- هندوستان
- هندی
- دولت هند
- شاخص ها
- شالوده
- علاقه مند
- به
- دعوت
- دعوت
- دعوت کردن
- IT
- خود
- ژان
- جاوا اسکریپت
- کلید
- شناخته شده
- LATVIA
- نامه
- سطح
- سطح
- ارتباط دادن
- فهرست
- بارگیری
- محل
- دستگاه
- مخرب
- نرم افزارهای مخرب
- حافظه
- ماموریت
- پیمانهای
- ماژول ها
- ماژول ها
- چند لایه
- چندگانه
- باید
- نام
- تحت عنوان
- ملی
- سازمان ملل
- شبکه
- بعد
- قابل توجه
- اشاره کرد
- عدد
- of
- پیشنهادات
- مقامات
- on
- فقط
- عمل می کند
- عمل
- or
- سفارش
- خارج
- به طور کلی
- شرکت کردن
- مسیر
- اصرار
- فاز
- افلاطون
- هوش داده افلاطون
- PlatoData
- پست
- درآمد حاصل
- حفاظت
- منتشر شده
- اخذ شده
- اخیر
- قرمز
- رجیستری
- مربوط
- روابط
- درخواست
- محققان
- اقامتگاه
- پاسخ
- نتایج
- روی
- s
- سعید
- تیم امنیت لاتاری
- حساس
- فرستاده
- خدمت
- سرور
- سرور
- چند
- به زودی
- باید
- نشان داد
- سایت
- خواب
- اجتماعی
- مزایا
- برخی از
- پیچیدگی
- خاص
- به طور خاص
- حمایت مالی
- صحنه
- مراحل
- شروع
- شروع می شود
- opbevare
- متعاقب
- چنین
- پشتیبانی از
- تاکتیک
- هدف قرار
- بله
- تکنیک
- که
- La
- شان
- آنها
- تم
- سپس
- آنها
- این
- کسانی که
- تهدید
- سه
- بار
- به
- دور زدن
- انواع
- زیر
- اتحادیه
- به روز رسانی
- آپلود شده
- استفاده کنید
- استفاده
- کاربران
- استفاده
- با استفاده از
- مختلف
- قربانی
- we
- وب سایت
- خوب
- چه زمانی
- که
- شراب
- با
- در داخل
- نوشت
- زفیرنت
- زیپ