Similarities with older APT29 backdoors
Whereas Zscaler didn’t hyperlink the January assault to any APT group, the researchers believed on the time it was the work of a nation-state risk actor seeking to exploit diplomatic relations, which is typical of APT29 focusing on. Going additional, Mandiant has not established clear similarities in design and code to 2 older backdoors tracked as BURNTBATTER and MUSKYBEAT which can be solely related to APT29.
“Nevertheless, the code household itself is significantly extra personalized than the earlier variants, because it not makes use of publicly obtainable loaders like DONUT or DAVESHELL and implements a singular C2 mechanism,” the researchers stated of their evaluation. “Moreover, WINELOADER accommodates the next shared methods with different code households utilized by APT29: The RC4 algorithm used to decrypt the following stage payload; course of/DLL title test to validate the payload context (in use since early BEATDROP variants) and Ntdll usermode hook bypass (in use since early BEATDROP variants).”
WINELOADER is executed utilizing DLL sideloading methods right into a respectable Home windows executable, which is supposed to make detection tougher. It then proceeds to decrypt a portion of code utilizing the RC4 cipher. The backdoor is modular, and this code represents the primary module which additionally consists of configuration knowledge and the half that communicates with the command-and-control (C2) server.
The malware connects to the server utilizing HTTP with a customized person agent and registration packets contained in the requests. The attackers can situation directions to load further modules or to determine persistence on the system in the event that they contemplate the system vital sufficient.
The Mandiant report consists of MITRE ATTACK Framework TTPs in addition to customized detection guidelines based mostly on indicators of compromise.
