Cyberespionage group known as APT29 and linked to Russia’s foreign intelligence service (SVR), has added a new malware loader to its toolset. Used for fingerprinting, persistence and payload delivery, the new loader was observed in a recent phishing campaign against diplomatic missions in Europe.
“In this current wave of attacks, the threat actors impersonate a major European Ministry of Foreign Affairs to send out invitations to wine tasting events, prompting targets to click a web link leading to the deployment of a new backdoor called GRAPELOADER,” researchers from security firm Check Point wrote in a report. “This campaign appears to be focused on targeting European diplomatic entities, including non-European countries’ embassies located in Europe.”
APT29, also known as Cozy Bear and Midnight Blizzard, is one of the most sophisticated Russian state-sponsored cyberespionage groups. Because of its links to the SVR, its phishing targets are often diplomatic missions, government entities, political parties and think tanks. However, the group is also capable of launching software supply chain attacks, being responsible for the 2020 attack on SolarWinds that impacted thousands of companies, organizations and government agencies.
APT29 changes first-stage tactics and payload
One of APT29’s known malware implants is a modular backdoor program dubbed WINELOADER that was first deployed over a year ago in a campaign that targeted German political parties. That backdoor is still being used as the late-stage implant in this new attack campaign investigated by Check Point.
However, what changed is the first-stage malicious code whose function is to establish communication with the command-and-control (C2) server and download subsequent payloads. This first-stage component is commonly referred to as a malware dropper or loader and since 2021 APT29 had used a JavaScript-based loader dubbed ROOTSAW.
In the most recent attack, the group used a new malware dropper that Check Point has named GRAPELOADER and which gets executed by exploiting a DLL side-loading vulnerability.
The phishing campaigns contain links to a remote file called wine.zip, which contains three files: wine.exe, a PowerPoint executable that’s vulnerable to DLL side-loading and two hidden DLL files called AppvIsvSubsystems64.dll and ppcore.dll. The first .dll is a legitimate one that the PowerPoint executable needs to run, but it’s been modified by adding junk code. The second .dll, ppcore.dll, which also gets loaded into memory by wine.exe, is the new GRAPELOADER malware.
Once side-loaded into memory, GRAPELOADER sets up persistence by copying the contents of the wine.zip archive to a new location on disk and setting up a registry key to ensure that wine.exe is executed after every system restart.
The code then collects information about the computer, such as the username, computer name, process names and sends it via HTTPS to a C2 server. The malware will continue querying the C2 server every 60 seconds for instructions, including shellcode to download and execute directly in memory.
GRAPELOADER uses several techniques to evade detection by memory scanning programs as well as anti-analysis techniques to make reverse engineering harder.
WINELOADER variant
While the Check Point researchers didn’t manage to obtain the final payload delivered by GRAPELOADER directly, they located a new variant of the WINELOADER backdoor that was uploaded to the VirusTotal scanning service around the same time and which has code and compilation time similarities to both AppvIsvSubsystems64.dll and ppcore.dll. As such, there is a strong possibility that it was used as part of the same campaign.
The new WINELOADER variant comes in the form of a DLL called vmtools.dll that was likely also side-loaded by a benign executable. While the exact executable wasn’t discovered the legitimate DLL with the name vmtools.dll is part of VMWare Tools installer.
DLL side-loading is an increasingly common technique used by attackers because it allows their malware code to be loaded into RAM memory by otherwise legitimate executable files that are unlikely to be detected as malware upon execution. APT29 has been known to use this tactic in past attacks as well.
“The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024,” the researchers stated. “In that earlier attack, APT29 also initiated the campaign with a phishing email disguised as an invitation to a wine-tasting event, that time impersonating an Indian Ambassador.”
The Check Point report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
No Responses