Similarities with older APT29 backdoors
Whereas Zscaler didn’t hyperlink the January assault to any APT group, the researchers believed on the time it was the work of a nation-state risk actor trying to exploit diplomatic relations, which is typical of APT29 concentrating on. Going additional, Mandiant has not established clear similarities in design and code to 2 older backdoors tracked as BURNTBATTER and MUSKYBEAT which might be solely related to APT29.
“Nevertheless, the code household itself is significantly extra custom-made than the earlier variants, because it now not makes use of publicly out there loaders like DONUT or DAVESHELL and implements a novel C2 mechanism,” the researchers stated of their evaluation. “Moreover, WINELOADER incorporates the next shared strategies with different code households utilized by APT29: The RC4 algorithm used to decrypt the subsequent stage payload; course of/DLL title test to validate the payload context (in use since early BEATDROP variants) and Ntdll usermode hook bypass (in use since early BEATDROP variants).”
WINELOADER is executed utilizing DLL sideloading strategies right into a professional Home windows executable, which is supposed to make detection tougher. It then proceeds to decrypt a portion of code utilizing the RC4 cipher. The backdoor is modular, and this code represents the primary module which additionally consists of configuration information and the half that communicates with the command-and-control (C2) server.
The malware connects to the server utilizing HTTP with a customized consumer agent and registration packets contained in the requests. The attackers can subject directions to load further modules or to determine persistence on the system in the event that they take into account the system vital sufficient.
The Mandiant report consists of MITRE ATTACK Framework TTPs in addition to customized detection guidelines based mostly on indicators of compromise.
