Zscaler’s ThreatLabz team has uncovered a sophisticated cyber espionage campaign, dubbed SPIKEDWINE, which targets European diplomats using a malware known as WINELOADER. The discovery was made following the analysis of a suspicious PDF file uploaded to VirusTotal from Latvia, which was disguised as an invitation from the Indian Ambassador for a wine-tasting event.
The Infection Chain
The PDF contained a link to a fraudulent questionnaire that, when clicked, redirected victims to a compromised website hosting a malicious ZIP archive. This initiated the infection chain, leading to the deployment of the WINELOADER backdoor.
The initial vector of the attack was a suspicious PDF file, masquerading as an invitation letter from the Ambassador of India to a wine-tasting event scheduled for February 2024. This file was first uploaded to VirusTotal from Latvia on January 30th, 2024.
The PDF contained a link to a fake questionnaire, which redirected users to a malicious ZIP archive hosted on a compromised site, thereby initiating the infection chain.
Upon further investigation, ThreatLabz uncovered another similar PDF file uploaded to VirusTotal from Latvia in July 2023, indicating the persistence and planning behind this cyber espionage campaign. The attack is characterized by its low volume, suggesting a highly targeted approach aimed at specific individuals or entities.
Characteristics of the Attack
The SPIKEDWINE campaign is notable for its low volume and precision targeting, focusing on officials from countries with Indian diplomatic missions, particularly in Europe. The attackers appear to be a nation-state actor with interests in the geopolitical relations between India and European nations.
“The threat actor leveraged compromised network infrastructure at all stages of the attack chain. We identified three compromised websites used for hosting intermediate payloads or as C2 servers”.
“Based on our in-depth analysis of the C2 communication, we believe the C2 server only responds to specific types of requests at certain times. This measure prevents automated analysis solutions from retrieving C2 responses and modular payloads”.
WINELOADER: A Modular Backdoor
WINELOADER is characterized by its modular design, allowing encrypted modules to be downloaded from the command and control (C2) server. This design enables the attackers to execute various malicious activities discreetly.
WINELOADER is not injected into the following DLLs as they contain exported functions used by the malware:
- advapi32.dll
- api-ms-win-crt-math-l1-1-0.dll
- api-ms-win-crt-stdio-l1-1-0.dll
- bcryptprimitives.dll
- iphlpapi.dll
- kernel32.dll
- kernelbase.dll
- mscoree.dll
- ntdll.dll
- ole32.dll
- rpcrt4.dll
- shlwapi.dll
- user32.dll
- wininet.dll
WINELOADER will inject itself into another randomly selected DLL again via DLL hollowing before it sends the first beacon request to the C2 server.
Analysis of the Malicious PDF
The fake invitation to the wine-tasting event was crafted to appear legitimate, with details of an event at the Indian ambassador’s residence. The inclusion of a link to a fake questionnaire was the trigger for the infection process.
The campaign’s sophistication and focus suggest that the threat actor is likely a nation-state with a vested interest in monitoring or influencing the diplomatic relations between India and European countries.
“The malicious link in the PDF invitation redirects users to a compromised site, hxxps://seeceafcleaners[.]co[.]uk/wine.php, that proceeds to download a ZIP archive containing an HTA file – wine.hta“.
“A quick analysis of the PDF file’s metadata reveals that it was generated using LibreOffice version 6.4, and the time of creation was January 29th, 2024, at 10:38 AM UTC”.
Conclusion
The SPIKEDWINE campaign represents a significant threat to diplomatic entities in Europe. The use of a modular backdoor like WINELOADER demonstrates the advanced capabilities of nation-state actors in conducting cyber espionage operations. Organizations, especially those with diplomatic ties, must remain vigilant and employ robust cybersecurity measures to defend against such targeted attacks.