APT29, a Russian state-sponsored threat actor, has been linked to a sophisticated phishing campaign targeting diplomatic entities in Europe. This campaign utilizes a new variant of a previously known malware called WINELOADER, along with a novel malware loader dubbed GRAPELOADER.

The latest technical analysis from Check Point revealed that GRAPELOADER functions as an initial-stage tool designed for fingerprinting, persistence, and payload delivery, while the upgraded WINELOADER serves as a modular backdoor used in the later stages of cyberattacks. Both tools share similarities in their codes, such as obfuscation and string decryption techniques, with GRAPELOADER enhancing the anti-analysis capabilities of WINELOADER.

Initially documented in February 2024, WINELOADER has been used in attacks that lure diplomatic staff through wine-tasting invitations. This campaign was first attributed to a threat cluster known as SPIKEDWINE but was later connected to APT29 by Mandiant, a Google-owned cybersecurity firm.

In the latest developments, attackers are allegedly sending email invitations mimicking an unspecified European Ministry of Foreign Affairs to facilitate wine-tasting events. The emails prompt recipients to click links that deploy GRAPELOADER via a zipped archive named "wine.zip." These emails originate from the domains bakenhof.com and silry.com and primarily target various European nations’ Ministries of Foreign Affairs and embassies.

The ZIP archive includes three files: a DLL that serves as a dependency for a legitimate PowerPoint executable, which is exploited for DLL side-loading, leading to the activation of GRAPELOADER. This malware then modifies the Windows Registry to ensure the malicious executable launches with every system reboot.

GRAPELOADER is also equipped with steganography and is designed to collect basic information about the infected host, which it exfiltrates to an external server to retrieve subsequent malware payloads. While the exact nature of these payloads remains unclear, Check Point has observed updated WINELOADER artifacts that coincide with the timestamps of associated DLLs. The tool replaces ROOTSAW, a previously used downloader, indicating that GRAPELOADER is intended to facilitate the deployment of WINELOADER.

As the investigation unfolds, further insights into related malware efforts by the Russian threat group known as Gamaredon have emerged, particularly their use of PteroLNK malware intended for infecting connected USB drives within their attack strategies. This reflects a broader pattern of cyber operations linked to Russia, emphasizing the importance of vigilance and robust cybersecurity measures among targeted entities.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.