Wineloader - Analysis of the Infection Chain
June 6, 2024, 8:35 a.m.
Tags
Description
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Executing the obfuscated HTA file downloads the Wineloader payload, which utilizes sideloading and creates scheduled tasks or registry entries for persistence. Techniques to deobfuscate the JavaScript code are provided to extract valuable intelligence from obfuscated payloads.
Date
Published: June 6, 2024, 8:13 a.m.
Created: June 6, 2024, 8:13 a.m.
Modified: June 6, 2024, 8:35 a.m.
Indicators
f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45
e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc
c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e
b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920
ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7
7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083
3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9
1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc
72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4
Attack Patterns
Wineloader
APT29
T1209
T1064
T1137
T1497
T1574
T1204
T1027
T1053
T1059