SPIKEDWINE, an undocumented threat actor known as SPIKEDWINE, has been spotted using a new backdoor called WINELOADER to target officials in European nations with Indian diplomatic missions.
According to a report from Zscaler ThreatLabz, the adversary sent allegedly from the Indian ambassador a PDF file inviting diplomatic staff to a wine-tasting event on February 2, 2024.
On January 30, 2024, Latvia uploaded the PDF document to VirusTotal. Having discovered another similar PDF file uploaded from the same country, there is evidence that suggests this campaign may have been running at least since July 6, 2023.
Security researchers Sudeep Singh and Roy Tay noted that the attack has a very low volume and is characterized by the sophisticated tactics, techniques, and procedures ( TTPs ) used in the malware and command-and-control ( C2 ) infrastructure.
The PDF file that contains a malicious link that asks users to fill out a questionnaire serves as the centerpiece of the novel attack. A HTML application ( “wine” ) can be created by clicking on the link. to retrieve an encoded ZIP archive from the same domain that contains obfuscated JavaScript code.
A core module that was created to execute modules from the C2 server, inject itself into a different dynamic-link library ( DLL), and change the sleep interval between beacon requests is included in the malware.
The use of compromised websites for C2 and hosting intermediate payloads is a notable feature of cyberattacks. The” C2 server only responds to specific types of requests at certain times,” according to some, makes the attacks more evasive.
The researchers claimed that” the threat actor put additional effort into avoiding memory forensics and automated URL scanning solutions” to stay undetected.