A phishing scam has been identified targeting staff of European embassies with an invitation to a fake wine-tasting event. Targets include European diplomats and the staff of non-European countries at embassies located in Europe. The campaign has been linked to the Russian state-sponsored hacking group, Cozy Bear (aka APT29, Midnight Blizzard), and is believed to be primarily an espionage campaign.
The aim of the campaign is to deliver a stealthy new backdoor malware dubbed GrapeLoader. The campaign, identified by Check Point, is believed to be part of a wider campaign targeting European governments, diplomats, and think tanks. The malware delivered in the campaign serves as a loader for delivering additional payloads and is used as an initial stage tool for fingerprinting and establishing persistence.
As is typical with spear phishing campaigns, considerable effort has been put into creating a lure that is likely to elicit a response. A fake diplomatic event is used, commonly related to wine tasting, with some emails offering a place at a diplomatic dinner. The messages were sent by a specific individual at a legitimate but impersonated European foreign affairs ministry. A series of follow-up messages is sent to individuals who failed to respond to the fake invite. The phishing link is also configured to redirect the user to the real foreign ministry website if it is opened outside of the expected timezone or by an automated tool.
The emails prompt the recipient to click on an embedded hyperlink that directs them to a spoofed website where they are prompted to download a file. If successful, the user downloads a zip file containing a PowerPoint executable file called wine.exe, and two hidden DLL files, one of which allows the PowerPoint file to run. The PowerPoint file is used for DLL sideloading, including the other DLL file, dubbed GrapeLoader, which is used to deliver additional payloads. GrapeLoader fingerprints the device and establishes contact with its command-and-control server. A Run registry key is added to ensure that wine.exe is executed following a reboot.
The malware has been designed to be stealthy, including masking strings in its code and only decrypting them for a short time in the memory before they are erased. This technique prevents analysis using tools such as FLOSS. The malware also makes memory pages temporarily inaccessible to evade antivirus scans. GrapeLoader is thought to lead to the delivery of a modular backdoor known as WineLoader, which has been used in previous Cozy Bear campaigns on governments and political parties.