Midnight Blizzard Targets European Diplomats with Wine Tasting Lure

Notorious Russian nation-state actor Midnight Blizzard is targeting European diplomats with a phishing lure inviting them to wine tasting events.

The campaign has targeted multiple European countries with a specific focus on Ministries of Foreign Affairs as well as embassies.

Check Point researchers said that the attackers use these emails to attempt to deploy a newly discovered loader, called Grapeloader, before ultimately infecting victims with a new variant of the modular backdoor Wineloader.

Wineloader is designed to gather sensitive information from the compromised device to facilitate espionage operations. This includes IP addresses, name of the process it runs on, Windows username, Windows machine name, Process ID and privilege level.

The backdoor has been observed in previous Midnight Blizzard campaigns targeting diplomats.

Midnight Blizzard, aka Cozy Bear, APT29, is an APT group that is linked to Russia’s foreign intelligence service (SVR). It is known to specialize in espionage and intelligence gathering operations against governments and critical industries.

Read now: Russian Spies Brute Force Senior Microsoft Staff Accounts

Wine Event Phishing Lure

The campaign begins with a phishing email that impersonates a specific person in the mimicked Ministry of Foreign Affairs. These come from at least two distinct domains, bakenhof[.]com and silry[.]com.

Check Point observed that almost all the emails it analyzed used themes of wine-tasting events. Each email contained a malicious link that, when clicked, initiated the download of a file called wine.zip for the next stage of the attack.

In cases where the initial attempt was unsuccessful, additional waves of emails were sent to try and entice the victim to click the link.

The server hosting the link appears to be highly protected against scanning and automated analysis solutions, with the malicious download triggered only under certain conditions, such as specific times or geographic locations.

New Grapeloader Version Deployed

When clicked on, the wine.zip archive runs three files, one of which is a heavily obfuscated DLL, ppcore.dll, that functions as a loader, Grapeloader.

Once Grapeloader is side loaded, the malware copies the contents of the wine.zip archive to a new location on the disk and gains persistence by modifying the Window registry’s Run key. This ensures wine.exe is executed every time the system reboots.

Grapeloader is a newly observed tool designed for the initial stages of an attack. Its role involves fingerprinting the infected environment, establishing persistence and retrieving the next-stage payload – in this case, Wineloader.

Grapeloader employs several anti-analysis techniques, including string obfuscation and runtime API resolving and DLL unhooking.

The researchers said the new Wineloader version has evolved from previous iterations, refining its techniques. This includes shared techniques with Grapeloader such as string obfuscation and further anti-analysis techniques like code mutation, junk instruction insertion and structural obfuscation.

In the new campaign, Wineloader gathers information on the environment from the infected machine before sending this data to the command and control server.

“Changes in the new variant primarily include evolved stealth and evasion techniques, which further complicate detection efforts. Due to the links we uncovered between Grapeloader and Wineloader, this suggests that Wineloader is likely delivered in later stages of the attack,” the researchers concluded.