Russia never stops using proven tactics, and its Cozy Bear, aka APT 29, cyber-spies are once again trying to lure European diplomats into downloading malware with a phony invitation to a lux event.
Last year, the Kremlin team went after German politicians with Windows backdoor malware dubbed Wineloader concealed in fake invitations to a dinner reception. Now, malware hunters at Check Point say the same crew is back with Grapeloader, and instead of supper, the Russians are luring Euro diplomats with an invitation to wine tasting.
Offers to attend the swish gathering arrive in an email disguised to resemble a missive from an unnamed European country’s Ministry of Foreign Affairs and were sent to diplomats across the continent. If the targets failed to respond, the scammers sent follow up emails. Subject lines included “Wine tasting event (update date),” “For Ambassador’s Calendar,” and “Diplomatic dinner.” The message itself has a link to a download from a remote server that really shouldn’t be clicked on.
“The server hosting the link is believed to be highly protected against scanning and automated analysis solutions, with the malicious download triggered only under certain conditions, such as specific times or geographic locations,” the team at Check Point reported Tuesday.
If a user meets the attackers’ criteria, clicking the invitation link downloads an archive called wine.zip. On other occasions the link directs the recipient to a legitimate page on the website of the embassy that supposedly sent the message.
The wine.zip archive carries three files:
- A legitimate PowerPoint executable, wine.exe, which is exploited for DLL side-loading.
- A hidden DLL, AppvIsvSubsystems64.dll, which is bloated with junk code, serving only as a required dependency for the PowerPoint executable to run.
- Another hidden and heavily obfuscated DLL, ppcore.dll, that functions as a loader, called Grapeloader, as it is likely used to deliver Wineloader in later phases of the attack.
Grapeloader copies the contents of the archive onto a victim PC’s hard drive and changes the Windows Registry’s Run key to ensure persistence. It scans for information, including usernames, the computer name, process names, and process identifiers, and pings a Cozy Bear command-and-control server every 60 seconds for instructions to carry out and seemingly to take delivery of an updated version of Wineloader to run.
The new vintage of Wineloader is a 64-bit trojanized DLL file that allows data to be harvested from the infected machine, encrypted using RC4, and sent back to the command-and-control server. It’s much better at deleting signs of presence in memory and using junk code to hide its true nature from malware-hunting applications.
Check Point’s analysis of the new Wineloader code and its targets led the outfit to conclude that Russia’s government and Cozy Bear, one of Moscow’s most potent and prolific cyber-snoop crews, is almost certainly behind the backdoor malware. The group was behind the massive 2020 SolarWinds hack and is thought to be one of the squads run by the FSB, Russia’s primary intelligence agency.
Cozy Bear has a long history that started in the late Naughts when it developed malware to assist spying efforts. The crew later moved onto organized campaigns against specific targets, such as the Democratic National Committee, the US State Department, and the White House before the USA’s 2016 national election. The gang was exposed when Dutch government whiz-kids managed to break into the crew’s security cameras and observe them at work.
Nowadays, Cozy collects whatever the Kremlin wants from Western governments and their allies – even going after COVID-19 vaccine development data during the pandemic. Presumably, the crew decided that luring diplomats with a party worked so well last time, it was time to tweak things and try again. ®