The APT29 group, also known as Midnight Blizzard or Cozy Bear, is actively engaging in sophisticated phishing activities targeting European embassies and Ministries of Foreign Affairs by masquerading as invitations to wine tasting events. This campaign features the newly identified GrapeLoader malware and an updated variant of the WineLoader backdoor.
The Russian government-backed hacking collective known as Midnight Blizzard has intensified its efforts to breach the computer systems of European diplomats since January. The group has disseminated fraudulent emails aimed at embassies and diplomatic organizations throughout Europe with the objective of gaining unauthorized access.
According to researchers at Check Point Research (CPR), who are monitoring these intrusion attempts, the attackers are deploying a new malware called GrapeLoader to infiltrate systems. Once they establish a foothold, they utilize an upgraded and more elusive version of a backdoor known as WineLoader.
The attack vector relies on emails crafted to resemble legitimate communications from a Ministry of Foreign Affairs, inviting recipients to participate in wine tasting events. Analysis by Check Point indicates that the majority of these emails employed a common theme of wine-tasting invitations. In cases where the initial email does not succeed, attackers follow up with additional messages designed to further deceive the target.
This operation is reportedly a continuation of a prior campaign that previously incorporated the WineLoader backdoor, as noted by Zscaler earlier this year.
The malicious emails originate from domains such as bakenhofcom and silrycom and contain links that trigger the download of a file named “wine.zip.” Once extracted, the archive activates three files, one of which is a disguised file called “ppcore.dll” that serves as the GrapeLoader program.
The GrapeLoader malware consolidates the contents of the “wine.zip” file onto a different location on the victim’s hard drive and modifies system settings to execute a program named “wine.exe” upon startup. This mechanism ensures ongoing access for the attackers, who are specifically focusing on European Ministries of Foreign Affairs and embassies.
The WineLoader backdoor functions as a sophisticated tool designed to collect sensitive data from compromised machines, enhancing the hackers’ capabilities in cyber espionage operations. Researchers have determined that this updated version of the backdoor is notably more challenging to detect compared to earlier incarnations, which were more accessible to automated analytical tools.
WineLoader collects critical data, including the IP address, application names, Windows usernames, and process IDs from infected systems. This tool has been associated with past hacking endeavors by Midnight Blizzard against diplomatic targets, underscoring the group’s persistent focus on this sector.
Researchers characterise GrapeLoader as being instrumental in the early stages of the attack, enabling attackers to gather information about the infected machine, secure their access, and facilitate the subsequent introduction of the WineLoader backdoor. Techniques employed include obscuring code and dynamically locating essential system functions to evade detection by security mechanisms.
This incident underscores the ongoing evolution of cyber espionage tactics and the robust threat posed by state-sponsored actors to diplomatic communications and infrastructures. The findings serve as a cautionary note for diplomatic entities, emphasizing the necessity to maintain vigilance, strengthen cybersecurity protocols, and educate personnel about sophisticated phishing threats.
