The Russian state-sponsored group APT 29, also known as Midnight Blizzard or Cozy Bear, is targeting European politicians via a new campaign called Graphloader.
According to researchers at Check Point, the campaign is similar to the previously documented Wineloader backdoor, which also targeted European political parties and was detailed by Mandiant and other researchers.
Cozy Bear often targets European governments and high-profile organizations, including government agencies and think tanks, using both custom and commercial malware.
In this current wave of attacks, the group mostly focused on Ministries of Foreign Affairs, as well as other countries’ embassies in Europe.
The attacks start with emails mimicking European Union officials with several subject lines, such as Wine Event, Diplomatic dinner, and For Ambassador’s Calendar.
The emails contain a malicious link that led, in some cases, to the download of an archive, eventually leading to the deployment of Grapeloader. In other cases, the link in the phishing emails redirects to the official website of the impersonated Ministry of Foreign Affairs, Check Point reports.
If a person clicks the malicious link, a wine.zip file containing three files is downloaded, including a legitimate PowerPoint executable, wine.exe, which is exploited for DLL side-loading.
The file also contains two DLLs. One of them, ppcore.dll, functions as a loader, called Grapeloader.
According to Check Point, this is a new tool in Cozy Bear’s arsenal, designed for the initial stage of an attack, and is likely used to deliver Wineloader in later phases of the attack.
Both tools have many similarities, particularly in code structure, obfuscation techniques, and string decryption processing.
“A comparison of older and newer Wineloader versions suggests that this backdoor has continued to evolve. Grapeloader incorporates and enhances some of these advanced techniques, such as DLL unhooking, API resolving, code obfuscation, and string obfuscation. It also introduces new methods to improve its stealth and effectiveness,” the researchers claim.
Your email address will not be published. Required fields are markedmarked