From Water to Wine: An Analysis of WINELOADER

Introduction

In late February 2024, Mandiant identified APT29, a Russian state-sponsored threat group, deploying a new backdoor called WINELOADER to target German political parties. This campaign marks a significant shift in APT29's targeting, as they have traditionally focused on government and diplomatic entities. The expansion to political parties suggests an evolution in the group's intelligence gathering priorities, likely influenced by the current geopolitical climate.

The attack chain begins with a spear-phishing email containing a malicious link to a ZIP file hosted on a compromised website. The ZIP file contains an HTML Application (HTA) file that, when executed, initiates a multi-stage infection process ultimately leading to the delivery of the WINELOADER backdoor.

This blog post provides a detailed analysis of the tactics, techniques, and procedures (TTPs) employed by APT29 in this campaign, focusing on two key aspects:

1. Initial Access: We'll examine the spear-phishing email, the compromised website hosting the malicious ZIP file, and the HTA file responsible for the initial stages of the infection chain.

2. WINELOADER Analysis: We'll dive deep into the WINELOADER backdoor, exploring its capabilities, command and control (C2) communication, and evasion techniques.

Furthermore, we'll showcase the Splunk security content developed by the Splunk Threat Research Team to help defenders detect and respond to this threat.

As APT29 continues to adapt and evolve their tactics, it is crucial for organizations to stay informed and prepared. By understanding the TTPs and malware employed in this campaign, security teams can enhance their detection capabilities and better protect their organizations from this sophisticated threat.

Initial Access

This section dives deeper into the TTPs employed by APT29 in the initial access stage of the WINELOADER campaign. By examining the spear-phishing attachment and the various components of the infection chain, we aim to provide defenders with the knowledge needed to identify and mitigate this threat.

The Initial Access TTPs

The attack chain begins with a spear-phishing email containing a malicious PDF attachment. This PDF file, masquerading as an invitation to a wine tasting event, includes a link to a ZIP file hosted on a compromised website. The ZIP file contains an HTML Application (HTA) file named "wine.hta" or "invite.hta", depending on the sample analyzed.

Upon executing the HTA file, obfuscated JavaScript code initiates the next stage of the infection chain. The obfuscation technique used in this code matches patterns associated with the publicly available obfuscator "obfuscator.io". The HTA file downloads and executes additional malicious components, including:

1. A legitimate Microsoft-signed binary named "sqlwriter.exe" or "sqldumper.exe", which is vulnerable to DLL side-loading.

2. A malicious DLL named "vcruntime140.dll", crafted by the threat actor to be side-loaded by the legitimate binary.

The successful execution of the malicious DLL marks the beginning of the WINELOADER infection.

Assessing Detection Coverage with Atomic Red Team

To help defenders assess their detection coverage against the TTPs used in this campaign, the Splunk Threat Research Team has developed an Atomic Red Team test. This test provides a safe and controlled environment for security teams to evaluate their defenses and identify potential gaps in their detection capabilities.

The Atomic Red Team test developed by the Splunk Threat Research Team covers the following aspects of the initial access stage:

1. HTA with base64 encoded invite.txt file

2. Write invite.txt and decode the base64 to invite.zip

3. Extract the invite.zip, which contains Atomic Red Team T1574.002 gup.exe DLL side load

4. After extraction the HTA will then run gup.exe to simulate the DLL side load

We tried to mimic this as close to the WINELOADER infection chain, only not using SQLWriter or SQLdumper. During our testing, however, we enhanced our Atomic by embedding sqlwriter.exe with the malicious sample of vcruntime140.dll to emulate the behaviors.

By running these tests and analyzing the results, security teams can gain visibility into their detection and response to the TTPs employed by APT29 in the WINELOADER campaign. This can then be used to:

• Fine-tune analytics.

• Improve incident response procedures.

• Ultimately strengthen the organization's overall security posture.

In our example, the HTA file writes the Base64 encoded content of `invite.zip` to a file at `C:\Windows\Tasks\invite.txt`. It then decodes this file from Base64 to a ZIP file and unzips it. After that, it runs `gup.exe` and displays a message box saying "DLL Side-Load Operation Completed."

The HTA is simple:

Figure 02: malicious .HTA

Upon running the HTA file, most everything will occur in the background until a prompt occurs to notify that the gup.exe is ready to run. In this screenshot you can see the "Are You Ready?" prompt. Below the prompt is the c:\windows\tasks directory with the files ready to load.

Figure 03.1: Simulation Attack

Upon clicking "OK," the test will be completed by spawning calc.exe and a final message box from the HTA.

Figure 03.2: Simulation Attack

The last "OK" click will lead to the Atomic logo along with the reference to the DLL sideload test with Gup.exe

Next, check out this video for a live demonstration of our HTA. To try out the HTA, it is hosted on a GIST here.

Public link

Please use the above public link if you want to share this noodl on another website.