APT29 Russian Hackers Use WineLoader Malware to Target German Political Parties

Written by Mitchell Langley

March 25, 2024

APT29 Russian Hackers Use WineLoader Malware to Target German Political Parties

The APT29 group is employing phishing attacks to distribute a backdoor called WineLoader malware. This malicious software enables the hackers to remotely access compromised devices and networks.

APT29 Targets Using WineLoader Malware

Researchers have issued a warning regarding a Russian hacking group APT29 associated with Russia’s Foreign Intelligence Service (SVR). This group has expanded its targets from diplomatic missions to include political parties in Germany.

APT29, also known as Midnight Blizzard, NOBELIUM, or Cozy Bear, is a Russian hacking group that is believed to be associated with the Russian Foreign Intelligence Service (SVR).

This group has gained notoriety for their involvement in various cyberattacks, including the well-known SolarWinds supply chain attack in December 2020.

Over the years, APT29 has consistently targeted governments, embassies, senior officials, and other entities. They employ a range of tactics, such as phishing and supply chain compromises for their attacks.

Recently, APT29 has shifted their focus towards cloud services. They have successfully breached Microsoft systems, gaining unauthorized access to Exchange accounts and compromising the MS Office 365 email environment used by Hewlett Packard Enterprise.

Russian Hackers from Nobelium Impersonating Political Parties

Mandiant researchers have discovered that APT29 has initiated a phishing campaign against German political parties starting in late February 2024. This represents a significant shift in the group’s operational strategy, as it is the first time they have targeted political parties.

The hackers are now employing phishing emails with a lure centered around the Christian Democratic Union (CDU), which is a famous political party in Germany and currently holds the second largest number of seats in the federal parliament (Bundestag).

The phishing emails, as observed by Mandiant, masquerade as dinner invitations from the CDU and contain a link to an external webpage. This webpage delivers a ZIP archive that contains the ‘Rootsaw’ malware dropper.

APT29 Targets Using WineLoader Malware

Source: Mandiant

When executed, the Rootsaw malware proceeds to download and execute a backdoor named ‘WineLoader’ on the victim’s computer.

In February, Zscaler discovered the WineLoader malware being used in phishing attacks that impersonated invites to diplomats for a wine-tasting event. This indicates that the WineLoader backdoor has been in use even before its recent deployment by APT29.

The WineLoader backdoor shares similarities with other malware variants used in previous APT29 attacks, such as ‘burnbatter’, ‘myskybeat’, and ‘beatdrop’. These similarities suggest a common developer behind these malicious tools.

However, the WineLoader malware stands out due to its modular design and increased customization compared to previous variants. It does not rely on off-the-shelf loaders and establishes an encrypted communication channel with the command and control (C2) server for secure data exchange.

According to Mandiant’s analysts, the WineLoader malware was initially observed in late January 2024 during an operation targeting diplomats from several countries, including the Czech Republic, Germany, India, Italy, Latvia, and Peru.

WineLoader Malware Uses RC4 Encryption to Evade Detection

To avoid detection, WineLoader utilizes RC4 encryption and is loaded directly into memory through DLL side-loading. This technique takes advantage of a legitimate Windows executable called “sqldumper.exe”.

Once activated, WineLoader collects various system information, including the victim’s username, device name, and process name. This data is then sent to the command and control (C2) server, allowing for system profiling.

The C2 server can issue commands for executing modules that can be dynamically loaded to perform specific tasks like establishing persistence within the compromised system.

There are no specific details about the modules used by WineLoader, but it is believed that the malware’s modular design enables APT29 to carry out many of its espionage activities.

The group’s targeting of political parties indicates a potential intention to influence or monitor political processes, which could be indicative of broader geopolitical objectives.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!