How the ambassadors who decide to participate in the tasting, please in the clutches of spies.
An unknown hacker group, dubbed SPIKEDWINE, attacks ambassadors from a number of European countries where Indian diplomatic missions operate. To achieve their goals, attackers use a new malicious backdoor - WINELOADER.
This is reported in the report of the company Zscaler ThreatLabZ. According to their data, as part of the attacks, hackers sent pdf files to diplomatic mission employees, allegedly on behalf of the Indian ambassador. These letters included invitations to a wine tasting scheduled for February 2, 2024.
One of the pdf documents of this kind was uploaded to the VirusTotal resource on January 30, 2024 from Latvia. However, there is reason to believe that the campaign could have started as early as July 6, 2023. This is indicated by the detection of another similar pdf from the same country.
"The attack is characterized by a small scale and the use of advanced methods, techniques and procedures both in the malware itself and in the command and control infrastructure," stated security researchers from Sudeep Singh and Roy Tay.
The pdf file contains a malicious link disguised as a questionnaire. Addressees are asked to fill out a questionnaire to participate in the event. Clicking on this link loads an html application ("wine.hta") with obfuscated javascript code. It is designed to get an encrypted ZIP archive with the WINELOADER malware from the same domain.
The WINELOADER core includes a module that downloads additional elements from the command server. It is also embedded in third-party DLLs and reduces the time interval between sending requests.
A distinctive feature of these cyber attacks is the use of hacked websites as management servers and for hosting malware. Presumably, command servers accept requests from malware only at certain times and using a special protocol. This makes attacks more stealthy and makes them harder to detect.
According to the researchers, hackers made significant efforts to cover their tracks. In particular, they avoided actions that might attract the attention of memory analysis systems and automated URL scanning.
An unknown hacker group, dubbed SPIKEDWINE, attacks ambassadors from a number of European countries where Indian diplomatic missions operate. To achieve their goals, attackers use a new malicious backdoor - WINELOADER.
This is reported in the report of the company Zscaler ThreatLabZ. According to their data, as part of the attacks, hackers sent pdf files to diplomatic mission employees, allegedly on behalf of the Indian ambassador. These letters included invitations to a wine tasting scheduled for February 2, 2024.
One of the pdf documents of this kind was uploaded to the VirusTotal resource on January 30, 2024 from Latvia. However, there is reason to believe that the campaign could have started as early as July 6, 2023. This is indicated by the detection of another similar pdf from the same country.
"The attack is characterized by a small scale and the use of advanced methods, techniques and procedures both in the malware itself and in the command and control infrastructure," stated security researchers from Sudeep Singh and Roy Tay.
The pdf file contains a malicious link disguised as a questionnaire. Addressees are asked to fill out a questionnaire to participate in the event. Clicking on this link loads an html application ("wine.hta") with obfuscated javascript code. It is designed to get an encrypted ZIP archive with the WINELOADER malware from the same domain.
The WINELOADER core includes a module that downloads additional elements from the command server. It is also embedded in third-party DLLs and reduces the time interval between sending requests.
A distinctive feature of these cyber attacks is the use of hacked websites as management servers and for hosting malware. Presumably, command servers accept requests from malware only at certain times and using a special protocol. This makes attacks more stealthy and makes them harder to detect.
According to the researchers, hackers made significant efforts to cover their tracks. In particular, they avoided actions that might attract the attention of memory analysis systems and automated URL scanning.
