A previously undocumented threat actor dubbed SPIKEDWINE has been observed targeting officials in European countries with Indian diplomatic missions using a new backdoor called WINELOADER.
The adversary, according to a report from Zscaler ThreatLabz, used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024.
The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That said, there is evidence to suggest that this campaign may have been active at least since July 6, 2023, going by the discovery of another similar PDF file uploaded from the same country.
The malware is packed with a core module that’s designed to Execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests.
A notable aspect of the cyber incursions is the use of compromised websites for C2 and hosting intermediate payloads. It’s suspected that the “C2 server only responds to specific types of requests at certain times,” thereby making the attacks more evasive.
“The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions,” the researchers said.
Source: https://thehackernews.com/