Wineloader - Analysis of the Infection Chain

June 6, 2024, 8:35 a.m.

Description

The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Executing the obfuscated HTA file downloads the Wineloader payload, which utilizes sideloading and creates scheduled tasks or registry entries for persistence. Techniques to deobfuscate the JavaScript code are provided to extract valuable intelligence from obfuscated payloads.

External References

https://raw.githubusercontent.com/BinaryDefense/ARC-Labs-Hunting-Queries/main/Wineloader/CrowdStrikeFalcon.md
https://www.binarydefense.com/resources/blog/wineloader-analysis-of-the-infection-chain
https://otx.alienvault.com/pulse/66616f8e46e2e730027daf27
Tags
backdoor
obfuscation
wineloader
persistence
javascript
2024-06-06
sideloading

Date

  • Created: June 6, 2024, 8:13 a.m.
  • Published: June 6, 2024, 8:13 a.m.
  • Modified: June 6, 2024, 8:35 a.m.

Indicators

  • f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45
  • e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc
  • c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e
  • b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920
  • ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7
  • 7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083
  • 3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9
  • 1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc
  • 72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4
Download all indicators here!

Attack Patterns

  • Wineloader
  • APT29
  • T1209
  • T1064
  • T1137
  • T1497
  • T1574
  • T1204
  • T1027
  • T1053
  • T1059