Wineloader - Analysis of the Infection Chain

June 6, 2024, 8:35 a.m.

Tags
backdoor
obfuscation
wineloader
persistence
javascript
2024-06-06
sideloading
External References
Description

The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Executing the obfuscated HTA file downloads the Wineloader payload, which utilizes sideloading and creates scheduled tasks or registry entries for persistence. Techniques to deobfuscate the JavaScript code are provided to extract valuable intelligence from obfuscated payloads.

Date

Published: June 6, 2024, 8:13 a.m.

Created: June 6, 2024, 8:13 a.m.

Modified: June 6, 2024, 8:35 a.m.

Indicators

f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45

e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc

c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e

b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920

ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7

7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083

3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9

1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc

72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4

Download all indicators here!

Attack Patterns

Wineloader

APT29

T1209

T1064

T1137

T1497

T1574

T1204

T1027

T1053

T1059