February 29, 2024 at 03:33AM
SPIKEDWINE, a new threat actor, targeted European officials with Indian ties using the WINELOADER backdoor. They used a PDF email attachment posing as an invitation from the Indian Ambassador for a wine-tasting event, enabling malware installation. The attack is sophisticated and evasive, utilizing compromised websites for command and control. The threat was first observed on January 30, 2024, but may have been active since July 6, 2023.
Key Takeaways from Meeting Notes:
1. New Threat Actor and Malware: An undocumented threat actor named SPIKEDWINE has been targeting officials in European countries with Indian diplomatic missions using a new backdoor called WINELOADER.
2. Mode of Attack: The adversary used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024. The PDF contained a malicious link that masqueraded as a questionnaire, leading to an HTML application (“wine.hta”) with obfuscated JavaScript code to retrieve the WINELOADER.
3. Timeline and Discovery: The campaign may have been active since at least July 6, 2023, and the PDF document was uploaded to VirusTotal from Latvia on January 30, 2024.
4. Advanced Tactics and Techniques: The attack is characterized by advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure, along with low volume.
5. Malware Capabilities: The malware contains a core module designed to execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests.
6. Evasive Measures: The threat actor used compromised websites for C2 and hosting intermediate payloads, making the attacks more evasive. Additionally, they put effort into evading memory forensics and automated URL scanning solutions.
7. Additional Information: The C2 server only responds to specific types of requests at certain times.
These are the key takeaways from the meeting notes regarding the cyber espionage and malware activities targeting officials in European countries with Indian diplomatic missions.