Friday, January 24, 2025
HomeCyber AttackBeware Of Weaponized Zip Files That Deliver WINELOADER Malware

Beware Of Weaponized Zip Files That Deliver WINELOADER Malware

Published on

SIEM as a Service

Follow Us on Google News

APT29, a Russian threat group, targeted German political parties with a new backdoor called WINELOADER using spear-phishing emails containing malicious links to ZIP files hosted on compromised websites.

The ZIP files deployed an HTA that initiated a multi-stage infection chain, delivering WINELOADER. 

The backdoor has functionalities for communication with command and control servers and utilizes evasion techniques.

To defend against the APT29 campaign, security teams should understand these TTPs and the WINELOADER backdoor to improve detection capabilities. 

APT29 uses spear-phishing emails with a malicious PDF attachment disguised as a wine-tasting invitation. The PDF tricks the victim into downloading a ZIP file containing an HTA (wine.hta or invite.hta). 

Attack Chain

The HTA uses obfuscated JavaScript (potentially obfuscated with obfuscator.io) to download and execute a legitimate but vulnerable Microsoft binary (sqlwriter.exe or sqldumper.exe) along with a malicious DLL (vcruntime140.dll), which is side-loaded by the legitimate binary establishes the initial foothold for the WINELOADER infection. 

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

The Splunk Threat Research Team created an Atomic Red Team test to simulate the initial access of the WINELOADER campaign, excluding the data exfiltration tools, which involve an HTA triggering a base64 decoded payload (invite.zip) containing a DLL (gup.exe). 

It mimics the side-loading behavior but uses a non-malicious DLL and to further emulate real-world attacks, the test injects sqlwriter.exe within a benign vcruntime140.dll. 

Security teams can evaluate their capacity to identify these APT29 TTPs by running and analyzing this test, which will enable them to improve their analytics, response processes, and overall security posture.  

malicious .HTA

The HTA file exploits a DLL side-loading vulnerability. It first writes the Base64-encoded content of a malicious ZIP file (invite.zip) to a text file (invite.txt) on the system, then decodes the text file back to a ZIP and extracts its contents. 

It triggers a user prompt, “Are You Ready?” before executing the payload, likely a malicious DLL named gup.exe and if the user clicks “OK,” the DLL is loaded and likely spawns calc.exe as a test.

A final message box confirms successful DLL side-loading with the Atomic logo. 

Simulation Attack

WINELOADER exploits legitimate applications like SQLWriter.exe or Sqldumper.exe through DLL side-loading by loading a malicious vcruntime140.dll that triggers code execution. 

The code decrypts a hidden data block using the RC4 algorithm with a key stored within the malicious DLL itself, allowing WINELOADER to gain initial functionality on a compromised system. 

One of the RC4 Key

Researchers analyzed a malicious DLL file (vcruntime140.dll) containing a variant of WINELOADER malware, which is encrypted with the RC4 algorithm and hides critical components like API names and strings to avoid detection

C2, User Agent & Landing Page

After decryption, the malware connects to its command and control server (C2) and downloads additional malicious components.

The report provides the C2 server addresses and user-agent strings used by the malware. 

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.  

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...

HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of...