Today > | 7 High | 10 Medium | 4 Low vulnerabilities   -   You can now download lists of IOCs here!

WINELOADER Analysis

Nov. 8, 2024, 10:22 a.m.

Description

APT29, also known as Cozy Bear, has targeted European diplomats using a sophisticated multi-stage attack chain involving a new modular backdoor called WINELOADER. The attack begins with a fake PDF invitation to a wine-tasting event, which leads to the download of a malicious HTA file. This file then downloads and executes the WINELOADER backdoor, which uses advanced evasion techniques such as DLL side-loading, encryption, and DLL hollowing. The malware communicates with command and control servers hosted on compromised websites, downloading additional modules and establishing persistence through scheduled tasks or registry keys. The campaign demonstrates APT29's focus on exploiting diplomatic relations between India and European nations, showcasing their advanced tactics and efforts to remain undetected.

Date

Published: Nov. 7, 2024, 10:48 p.m.

Created: Nov. 7, 2024, 10:48 p.m.

Modified: Nov. 8, 2024, 10:22 a.m.

Attack Patterns

WINELOADER

APT29 (Cozy Bear)

Additional Informations

Government

British Indian Ocean Territory

India