WINELOADER variant: While the Check Point researchers didn’t manage to obtain the final payload delivered by GRAPELOADER directly, they located a new variant of the WINELOADER backdoor that was uploaded to the VirusTotal scanning service around the same time and which has code and compilation time similarities to both AppvIsvSubsystems64.dll and ppcore.dll. As such, there is a strong possibility that it was used as part of the same campaign.The new WINELOADER variant comes in the form of a DLL called vmtools.dll that was likely also side-loaded by a benign executable. While the exact executable wasn’t discovered the legitimate DLL with the name vmtools.dll is part of VMWare Tools installer.DLL side-loading is an increasingly common technique used by attackers because it allows their malware code to be loaded into RAM memory by otherwise legitimate executable files that are unlikely to be detected as malware upon execution. APT29 has been known to use this tactic in past attacks as well.”The tactics, techniques, and procedures (TTPs) observed in this campaign bear strong similarities to those seen in the previous WINELOADER campaign from March 2024,” the researchers stated. “In that earlier attack, APT29 also initiated the campaign with a phishing email disguised as an invitation to a wine-tasting event, that time impersonating an Indian Ambassador.”The Check Point report contains indicators of compromise such as file names, file hashes and C2 URLs that can be used by security teams to build detections and threat hunting queries.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3964203/russia-linked-apt29-targets-european-diplomats-with-new-malware.html
