From Water to Wine: An Analysis of WINELOADER |SplunkBy Splunk Threat Research TeamIntroductionIn late February 2024, Mandiant identified APT29, a Russian state-sponsored threat group, deploying a newbackdoor called WINELOADER to target German political parties. This campaign marks a significant shift inAPT29's targeting, as they have traditionally focused on government and diplomatic entities. The expansion topolitical parties suggests an evolution in the group's intelligence gathering priorities, likely influenced by thecurrent geopolitical climate.The attack chain begins with a spear-phishing email containing a malicious link to a ZIP file hosted on acompromised website. The ZIP file contains an HTML Application (HTA) file that, when executed, initiates amulti-stage infection process ultimately leading to the delivery of the WINELOADER backdoor.This blog post provides a detailed analysis of the tactics, techniques, and procedures (TTPs) employed byAPT29 in this campaign, focusing on two key aspects:Initial Access: We'll examine the spear-phishing email, the compromised website hosting the malicious ZIPfile, and the HTA file responsible for the initial stages of the infection chain.WINELOADER Analysis: We'll dive deep into the WINELOADER backdoor, exploring its capabilities,command and control (C2) communication, and evasion techniques.Furthermore, we'll showcase the Splunk security content developed by the Splunk Threat Research Team tohelp defenders detect and respond to this threat.As APT29 continues to adapt and evolve their tactics, it is crucial for organizations to stay informed andprepared. By understanding the TTPs and malware employed in this campaign, security teams can enhancetheir detection capabilities and better protect their organizations from this sophisticated threat.Initial AccessThis section dives deeper into the TTPs employed by APT29 in the initial access stage of the WINELOADERcampaign. By examining the spear-phishing attachment and the various components of the infection chain, weaim to provide defenders with the knowledge needed to identify and mitigate this threat.The Initial Access TTPs

Phase: Initial Access

• Technique: Spear-Phishing via Malicious Link
• Procedure: A spear-phishing email is sent containing a malicious link directing targets to a compromised website.

• File: ZIP file containing an HTML Application (HTA) file.

• Technique: User Execution - Malicious HTA

• Procedure: Upon downloading and opening the ZIP file, the HTML Application (HTA) is executed, initiating the next stage of the attack chain.

Phase: Execution

• Technique: HTA Execution
• Procedure: The HTA file runs, likely utilizing Windows Script Host to execute embedded scripts that further the infection process.

Phase: WINELOADER Deployment

• Technique: Custom Backdoor Installation
• Tool: WINELOADER
• Procedure: After initial execution, WINELOADER is installed on the system, setting up for further stages such as persistence and communication with C2 servers.

Additional Technical Analysis (WINELOADER)

• Functionality:
• Capabilities include data exfiltration, executing additional payloads, and maintaining persistence.
• Evasion techniques may include obfuscation and avoiding running in virtual environments.

This structured breakdown focuses on the attack's initial access and execution phases, highlighting the key techniques and procedures used by APT29 in deploying the WINELOADER backdoor.

Figure 01: Attack ChainThe attack chain begins with a spear-phishing email containing a malicious PDF attachment. This PDF file,masquerading as an invitation to a wine tasting event, includes a link to a ZIP file hosted on a compromisedwebsite. The ZIP file contains an HTML Application (HTA) file named "wine.hta" or "invite.hta", depending onthe sample analyzed.Upon executing the HTA file, obfuscated JavaScript code initiates the next stage of the infection chain. Theobfuscation technique used in this code matches patterns associated with the publicly available obfuscator"obfuscator.io". The HTA file downloads and executes additional malicious components, including:A legitimate Microsoft-signed binary named "sqlwriter.exe" or "sqldumper.exe", which is vulnerable to DLLside-loading.A malicious DLL named "vcruntime140.dll", crafted by the threat actor to be side-loaded by the legitimatebinary.The successful execution of the malicious DLL marks the beginning of the WINELOADER infection.Assessing Detection Coverage with Atomic Red TeamTo help defenders assess their detection coverage against the TTPs used in this campaign, the Splunk ThreatResearch Team has developed an Atomic Red Team test. This test provides a safe and controlled environmentfor security teams to evaluate their defenses and identify potential gaps in their detection capabilities.The Atomic Red Team test developed by the Splunk Threat Research Team covers the following aspects of theinitial access stage:HTA with base64 encoded invite.txt fileWrite invite.txt and decode the base64 to invite.zipExtract the invite.zip, which contains Atomic Red Team T1574.002 gup.exe DLL side loadAfter extraction the HTA will then run gup.exe to simulate the DLL side load

Phase: Initial Access

• Technique: Spear Phishing with Malicious PDF
• Procedure: The attacker sends a spear-phishing email with a PDF pretending to be an invitation to a wine tasting event. This PDF contains a link to a ZIP file hosted on a compromised website.

Phase: Execution

• Technique: User Execution via Malicious HTA

• Procedure: The ZIP file contains an HTML Application (HTA) file named "wine.hta" or "invite.hta." When executed, it initiates the infection chain using obfuscated JavaScript.

• Technique: Obfuscated JavaScript Execution

• Procedure: The HTA file uses JavaScript code obfuscated using "obfuscator.io" to download and execute additional malicious components.

Phase: Defense Evasion

• Technique: DLL Side-Loading
• Procedure: Uses a legitimate Microsoft-signed binary ("sqlwriter.exe" or "sqldumper.exe") to side-load a malicious DLL named "vcruntime140.dll."

Phase: Execution (Simulation with Atomic Red Team)

• Technique: Base64 Decoding and Zip Extraction

• Procedure: The Atomic Red Team test replicates the process where an HTA writes an "invite.txt" file, decodes it to "invite.zip," and extracts it. The ZIP contains "gup.exe" for DLL side-loading simulation.

• Technique: Simulated DLL Side-Loading

• Procedure: Post extraction, the HTA runs "gup.exe" to simulate the DLL side-loading attack.

We tried to mimic this as close to the WINELOADER infection chain, only not using SQLWriter or SQLdumper.During our testing, however, we enhanced our Atomic by embedding sqlwriter.exe with the malicious sample ofvcruntime140.dll to emulate the behaviors. By running these tests and analyzing the results, security teams can gain visibility into their detection andresponse to the TTPs employed by APT29 in the WINELOADER campaign. This can then be used to: Fine-tune analytics.Improve incident response procedures.Ultimately strengthen the organization's overall security posture.In our example, the HTA file writes the Base64 encoded content of invite.zip to a file at C:\Windows\Tasks\invite.txt. It then decodes this file from Base64 to a ZIP file and unzips it. After that, it runsgup.exe and displays a message box saying "DLL Side-Load Operation Completed."The HTA is simple: Figure 02: malicious .HTAUpon running the HTA file, most everything will occur in the background until a prompt occurs to notify thatthe gup.exe is ready to run. In this screenshot you can see the “Are You Ready?” prompt. Below the prompt isthe c:\windows\tasks directory with the files ready to load.

Phase: Initial Access

• Technique: Spear Phishing Attachment
• Procedure: The attacker distributes an HTA file, which executes actions to further the infection chain.

Phase: Execution

• Technique: Command Execution via HTA
• Procedure: The HTA writes Base64 encoded content to C:\Windows\Tasks\invite.txt, decodes it to a ZIP file, and unzips it.

Phase: Persistence

• Technique: DLL Side-Loading
• Procedure: The HTA uses sqlwriter.exe attempting a DLL side-loading attack with a malicious vcruntime140.dll.

Phase: Execution

• Technique: Execution of Malicious Payload
• Command: gup.exe is executed displaying "DLL Side-Load Operation Completed" confirmation to the user.

Phase: User Execution

• Technique: User Prompt
• Procedure: The HTA displays an "Are You Ready?" message box to prompt the user, indicating readiness to run gup.exe.

Figure 03.1: Simulation AttackUpon clicking “OK,” the test will be completed by spawning calc.exe and a final message box from the HTA. Figure 03.2: Simulation AttackThe last “OK” click will lead to the Atomic logo along with the reference to the DLL sideload test with Gup.exeNext, check out this video for a live demonstration of our HTA. To try out the HTA, it is hosted on a GIST here.WINELOADER BreakdownThe next section takes a closer look at the WINELOADER malware itself, examining its: CapabilitiesCommunication methodsEvasion techniquesThis variant of WINELOADER employs DLL side-loading techniques to execute its malicious payload. Itachieves this by initiating the execution of either legitimate SQLWriter.exe or SQLDumper.exe, which in turnautomatically loads a specially crafted vcruntime140.dll residing in the same directory as these applications.SQLWriter.exe is a vital component of Microsoft SQL Server developed by Microsoft Corporation. SQLWriterinstalls a service facilitating backup/restore operations for Microsoft SQL Server via the Windows VSSinfrastructure. Alternatively, the malware may utilize legitimate Sqldumper.exe, responsible for generating dump filesessential for Watson error reporting and debugging tasks.

Phase: Execution

• Technique: Execution via HTA (HTML Application)
• Procedure: The threat actor uses an HTA file to execute a payload, resulting in the spawning of calc.exe and displaying a final message box.

Phase: Execution

• Technique: DLL Side-Loading
• Procedure: The malware uses DLL side-loading by executing legitimate applications, such as SQLWriter.exe or SQLDumper.exe, to load a malicious vcruntime140.dll located in the same directory.

Phase: Execution

• Technique: Execution via Legitimate Application
• Procedure:
  • Application: SQLWriter.exe or SQLDumper.exe
  • Malicious Activity: Automatically loads vcruntime140.dll for executing the malicious payload.

Notes:

• Tools Utilized:
• Applications: calc.exe, SQLWriter.exe, SQLDumper.exe

By employing DLL side-loading, the attacker leverages legitimate applications to mask malicious activities, allowing the unauthorized execution of malicious code while evading traditional security measures.

In the WINELOADER samples analyzed by Zscaler and Mandiant, the Splunk Threat Research Team, observedthat the specially crafted vcruntime140.dll exports 'memset' and '_set_se_translator', signaling the beginningof the code execution process.This code segment is responsible for decrypting a block of 0x8028 bytes using the RC4 algorithm. The RC4 keyis positioned after the code setup within the aforementioned export function. Figure 04: Export Functions Figure 05: One of the RC4 KeyThe decrypted data blob typically comprises a headless WINELOADER or shellcode, meticulously encrypted,especially regarding critical APIs and strings essential for its operations. This encryption strategy aims tothwart static analysis of its code.The decryption routine employed by this WINELOADER variant uses yet another RC4 algorithm, with the RC4key positioned at offset 0x20 within the decrypted headless WINELOADER.

Phase: Initial Payload Execution

• Technique: DLL Side-Loading
• Procedure: A specially crafted vcruntime140.dll is loaded, which exports functions memset and _set_se_translator to initiate execution.

Phase: Decryption

• Technique: RC4 Decryption
• Procedure:
• The malicious code decrypts a block of 0x8028 bytes using the RC4 algorithm.
• The RC4 key is embedded just after the setup code within the export function.

Phase: Payload Deployment

• Technique: Shellcode Execution
• Procedure:
• Decrypted data includes a headless WINELOADER or shellcode, with critical APIs and strings encrypted for obfuscation.
• A second RC4 decryption routine deciphers these components, utilizing an RC4 key found at offset 0x20 within the initial decrypted payload.

Figure 07: C2, User Agent & Landing PageAll of the C2 URLs are already down, so they aren't available to further analyze the WINELOADER infectionchain.Next, this brief video demonstrates how the information previously shared helped us in creating a simple toolto extract the headless WINELOADER from the specially crafted vcruntime140.dll for further analysis and TTPextraction.The simplified version of this python tool is available here.IOCFileName SHA256vcruntime140.dll 72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4d0a8fa332950b72968bdd1c8a1a0824dd479220d044e8c89a7dea4434b741750YARA Rule:import "pe"rule possible_wine_loader_export_function { meta: author = "@tccontre18 - Br3akp0int" description = "possible wine loader export function setup code" date = "2024-04-03" sha256 = "72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4" strings: $exp_loader = {48 83 EC 08 48 8D 0D ?? ?? ?? ?? 48 C7 C2 28 80 00 00 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 C7 05 ?? ?? ?? ?? ?? ?? 00 00 48 C7 05 ?? ?? ?? ?? 28 80 00 00 E8 ?? ?? 00 00 48 83 C4 08 C3} condition: uint16(0) == 0x5a4d and $exp_loader and pe.number_of_exports != 0 }Splunk Security ContentThe Splunk Threat Research Team has released a new analytic story covering this campaign. Below is abreakdown of the related security content.

Phase: Execution

• Technique: DLL Side-Loading with Malicious DLL (WINELOADER)
• Procedure: The threat actor uses a specially crafted vcruntime140.dll to execute the WINELOADER malware. This DLL is likely planted in a directory where a legitimate application loads it, enabling the malicious payload execution.

Phase: Tool Development

• Technique: Custom Script Creation for Analysis
• Procedure: A Python tool was developed to extract the WINELOADER from the vcruntime140.dll for further analysis. This tool is designed to identify and extract the malicious code embedded within the DLL.

Phase: Detection and Analysis

• Technique: YARA Rule for Malicious Code Detection
• Procedure: A YARA rule was created to detect the presence of WINELOADER by identifying a specific export function setup code within the DLL. This helps in identifying compromised systems by searching for the known byte patterns.

Example YARA Rule Structure:

• Meta Information:
• Author: @tccontre18 - Br3akp0int
• Description: "Possible Wine Loader export function setup code"
• Date: "2024-04-03"
• SHA256: "72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4"
• String for Detection:
• $exp_loader: Byte pattern indicating the malicious export function
• Condition:
• The file must have a valid PE header (uint16(0) == 0x5a4d) and a non-zero number of exports, with the specific pattern present.

These procedures provide a structured approach for red teams to emulate the attack and develop detection methodologies.

The figure below shows the potential structure of the headless WINELOADER, highlighting key componentssuch as the RC4 key and the encrypted strings table. Figure 06: Decrypted WINELOADERThe figure below illustrates the following decrypted C2 information associated with the two WINELOADERvariants we analyzed:C2 Domains and Landing pages:castechtools[.]com/api[.]php siestakeying[.]com/auth[.]phpUser Agents:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)

To assist you properly, I'll need detailed text from the CTI report describing the threat actor's procedures, focusing on command lines, executed programs, tools, and attack techniques. Once provided, I'll format it to enable a red team to emulate the attack.

Figure 08: Security Content Detection CoverageWindows MSHTA Writing to World Writable PathThis detection identifies instances of the Windows utility mshta.exe being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. Starting on February 26, 2024, APT29 has been observed distributing phishing attachments that lead to thedownload and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, usingobfuscated JavaScript, downloads a file named invite.txt to the C:\Windows\Tasks directory. This file isthen decoded and decompressed to execute a malicious payloadsysmon EventCode=11 Image="\mshta.exe" TargetFilename IN ("\Windows\Tasks\", "\Windows\Temp\", "\Windows\tracing\", "\Windows\PLA\Reports\", "\Windows\PLA\Rules\", "\Windows\PLA\Templates\", "\Windows\PLA\Reports\en-US\", "\Windows\PLA\Rules\en-US\", "\Windows\Registration\CRMLog\", "\Windows\System32\Tasks\", "\Windows\System32\Com\dmp\", "\Windows\System32\LogFiles\WMI\", "\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\", "\Windows\System32\spool\PRINTERS\", "\Windows\System32\spool\SERVERS\", "\Windows\System32\spool\drivers\color\", "\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\", "\Windows\SysWOW64\Tasks\", "\Windows\SysWOW64\Com\dmp\", "\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\", "\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\", "\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\*") | rename Computer as dest, User as user | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename | security_content_ctime(firstTime) | security_content_ctime(lastTime)

Phase: Initial Access

• Technique: Phishing via Malicious Attachment
• Procedure: APT29 distributes phishing attachments that result in downloading and executing a dropper via a compromised website.

Phase: Execution

• Technique: Scripting with mshta.exe
• Command: mshta.exe <URL> downloads a file named invite.txt to a writable directory such as C:\Windows\Tasks.

Phase: Payload Execution

• Technique: JavaScript Execution
• Procedure: The invite.txt file is decoded and decompressed to execute the malicious payload.

Phase: Defense Evasion

• Technique: Obfuscated Scripting
• Procedure: The payload uses obfuscated JavaScript to avoid detection.

Phase: Persistence

• Technique: Writing to World-Writable Paths
• Command: Writes payload files to directories such as C:\Windows\Tasks and other system directories where files can be executed later.

This sequence of actions demonstrates an adversary's use of common system tools and scripting to initialize and maintain control over compromised systems.

(Get this content: Windows MSHTA Writing to World Writable Path.)CertUtil with Decode ArgumentCertUtil.exe may be used to encode and decode a file, including portable executables and script code.Malicious usage will include decoding an encoded file that was downloaded.| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where process_certutil Processes.process=decode by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | drop_dm_object_name(Processes) | security_content_ctime(firstTime) | security_content_ctime(lastTime)(Get this content: CertUtil with Decode Argument.)Windows SQLWriter SQLDumper DLL SideloadThis analytic identifies the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dlllibrary. This technique is commonly used by adversaries to load malicious code into a legitimate process. Theanalytic:Searches for EventCode 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe andthe ImageLoaded is vcruntime140.dll. Filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives.sysmon EventCode=7 (Image="\SQLDumper.exe" OR Image="\SQLWriter.exe") ImageLoaded="\vcruntime140.dll" NOT ImageLoaded="C:\Windows\System32\" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | security_content_ctime(firstTime) | security_content_ctime(lastTime)

Phase: Execution

• Technique: CertUtil for File Decoding
• Command: certutil -decode <encoded_file> <decoded_output>
• Description: The attacker uses CertUtil to decode an encoded file, potentially a payload. This tool can handle portable executables and script code.

Phase: Execution

• Technique: DLL Sideloading via SQLDumper and SQLWriter
• Procedure: The threat actor uses SQLDumper.exe or SQLWriter.exe to sideload a malicious DLL (vcruntime140.dll) into the process.
• Monitoring: Detect this activity via Sysmon by looking for EventCode 7 where the loaded image is vcruntime140.dll, excluding legitimate paths like the System32 directory.

These procedures demonstrate methods to execute payloads and inject code into legitimate processes, making detection more challenging.

(Get this content: Windows SqlWriter SQLDumper DLL Sideload.)Windows Unsigned MS DLL Side-LoadingThe following analysis identifies potential DLL side-loading instances involving unsigned DLLs with a companydetail signature mimicking Microsoft. This technique is frequently exploited by adversaries to executemalicious code automatically by running a legitimate process. The analytics involves:Searching Sysmon logs for Event Code 7, where both the Image and ImageLoaded paths do not matchsystem directories (system32, syswow64, and programfiles). Verifying whether the loaded DLL is signed and checking if the folder paths of the Image and ImageLoadedare identical. This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that loadunsigned DLLs. Add other paths based on org hunting.sysmon EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid NOT (Image IN("C:\Windows\System32\", "C:\Windows\SysWow64\", "C:\Program Files")) NOT (ImageLoaded IN("C:\Windows\System32\", "C:\Windows\SysWow64\", "C:\Program Files")) | rex field=Image "(?.+\)" | rex field=ImageLoaded "(?.+\)" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | security_content_ctime(firstTime) | security_content_ctime(lastTime) | windows_unsigned_ms_dll_side_loading_filter'

Phase: Discovery

• Technique: Windows Unsigned MS DLL Side-Loading Detection
• Procedure: Utilize Sysmon to identify unsigned DLL side-loading attempts from non-system directories.
• Query: plaintext sysmon EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid NOT (Image IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) NOT (ImageLoaded IN("C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*", "C:\\Program Files*")) | rex field=Image "(?<ImageFolderPath>.+\\\)" | rex field=ImageLoaded "(?<ImageLoadedFolderPath>.+\\\)" | where ImageFolderPath = ImageLoadedFolderPath | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_ms_dll_side_loading_filter`

Phase: Execution

• Technique: DLL Side-Loading via Unsigned Microsoft DLLs
• Procedure: The threat actor leverages a legitimate process to load an unsigned DLL that resembles a Microsoft-signed library. By ensuring the Image and ImageLoaded paths match in non-default directories, they execute malicious payloads without alerting signature-based defenses.

SummaryAPT29 has launched a new campaign targeting political parties using the WINELOADER backdoor. Ourdetailed analysis of the TTPs employed by APT29, focused on the initial access stage and the WINELOADERmalware itself. To help organizations detect and respond to this threat, The Splunk Threat Research Team has: Developed an Atomic Red Team test. Released a new analytic story. As APT29 continues to evolve, it is important for security teams to stay informed and enhance their detectioncapabilities to protect against sophisticated threats.Learn MoreVisit research.splunk.com to view the Splunk Threat Research Team's complete security content repository.You can implement this content using the Enterprise Security Content Updates app or the Splunk SecurityEssentials app.We would like to thank Teoderick Contreras and Michael Haag for authoring this post and the entire SplunkThreat Research Team for their contributions. Referenceshttps://www.mandiant.com/resources/blog/apt29-wineloader-german-political-partieshttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader

Phase: Initial Access

• Technique: Spear Phishing with Malicious Attachment
• Procedure: APT29 sends spear-phishing emails with attachments that deploy the WINELOADER backdoor upon opening.

Phase: Execution

• Technique: Malicious Macro Execution
• Procedure: Malicious macros embedded in documents are executed to initiate the download and installation of the WINELOADER malware.

Phase: Persistence

• Technique: WINELOADER Backdoor Installation
• Procedure: Utilizing the capabilities of the WINELOADER malware to establish persistence, including potentially modifying the registry or executing scripts at startup.

Inferred Procedure for Backdoor Operations

• Technique: Execution via PowerShell
• Likely Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command <malicious script>

Suggested Monitoring Activities

• Technique: Monitoring PowerShell and Command Prompt Executions
• Procedure: Keeping track of scripts, especially those bypassing execution policies or using encoded commands.

These procedures outline the use of phishing, malicious macros, and backdoor installation techniques to infiltrate and persist in target environments, focusing on political entities.

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancingSplunk security offerings with verified research and security content such as use cases, detection searches, andplaybooks. We help security teams around the globe strengthen operations by providing tactical guidance andinsights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuseson understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which arestored as datasets in the Attack Data repository. Our goal is to provide security teams with research they can leverage in their day to day operations and tobecome the industry standard for SIEM detections. We are a team of industry-recognized experts who areencouraged to improve the security industry by sharing our work with the community via conference talks,open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research atconferences such as Defcon, Blackhat, RSA, and many more.Read more Splunk Security Content.

I'm here to help with extracting and structuring threat procedures, but it seems the text you provided doesn't contain specific threat actor procedures or CTI report details. If you have a detailed CTI report or specific attack information from which I can extract details like command lines, executed programs, and tools, please provide that, and I'll be glad to assist!

Phase: Initial Access

• Technique: Spear-phishing Email with Malicious Link
• Procedure: The attacker sends a spear-phishing email containing a malicious link to a ZIP file hosted on a compromised website.

Phase: Execution

• Technique: HTML Application Execution
• Procedure: The victim executes an HTML Application (HTA) file from the ZIP file. The HTA file contains obfuscated JavaScript code.

Phase: Download and Execution of Malicious Components

• Technique: JavaScript Obfuscation and Download
• Procedure: The obfuscated JavaScript code downloads and executes additional malicious components. The obfuscation technique matches patterns associated with the "obfuscator.io" obfuscator.

Phase: Privilege Escalation / Lateral Movement

• Technique: DLL Side-Loading (T1574.002)
• Procedure: Legitimate Microsoft-signed binary "sqlwriter.exe" or "sqldumper.exe" is used for DLL side-loading.
• Procedure: A malicious DLL named "vcruntime140.dll" is side-loaded by the legitimate binary.

Phase: Execution

• Technique: Remote Access Trojan (RAT) Execution
• Procedure: The malicious DLL, vcruntime140.dll, initiates the WINELOADER infection, decrypting a headless WINELOADER variant using RC4.

Here's an emulation-focused breakdown of the threat actor's procedures:

Phase: Initial Access

• Technique: Spear-Phishing with Malicious Link

• Procedure: The threat actor sends spear-phishing emails containing a malicious link to a compressed archive (ZIP file) hosted on a compromised website.

• Technique: HTML Application (HTA) Execution

• Procedure: A user executes an HTA file, obtained from a malicious ZIP archive, initiating a multi-stage infection chain. The HTA file utilizes obfuscated JavaScript code.

• Technique: File Download and Decoding

• Procedure: The HTA file downloads a base64-encoded file (e.g., invite.txt) to a world-writable directory (e.g., C:\Windows\Tasks).

• Command: certutil.exe -decode <path_to_encoded_file> <path_to_output_zip_file>

  • Example: certutil.exe -decode C:\Windows\Tasks\invite.txt C:\Windows\Tasks\invite.zip

• Technique: Archive Extraction

• Procedure: The HTA file extracts the contents of the downloaded and decoded ZIP archive, preparing the next-stage components.
• Command: powershell.exe -command "Expand-Archive -Path <path_to_zip_file> -DestinationPath <path_to_destination_directory>"
  • Example: powershell.exe -command "Expand-Archive -Path C:\Windows\Tasks\invite.zip -DestinationPath C:\Windows\Tasks"

Phase: Execution & Defense Evasion

• Technique: DLL Side-Loading via Legitimate Binaries
• Procedure: A malicious DLL (e.g., vcruntime140.dll) is placed in the same directory as a legitimate, Microsoft-signed binary vulnerable to DLL side-loading. The legitimate binary is then executed, causing it to load the malicious DLL.

• Program/Tool: SQLWriter.exe or SQLDumper.exe

  • Inferred Execution (if placed in same dir as malicious DLL): SQLWriter.exe
  • Inferred Execution (if placed in same dir as malicious DLL): SQLDumper.exe

• Technique: Payload Encryption and Decryption

• Procedure: The final WINELOADER payload, which can be headless or shellcode, is meticulously encrypted (e.g., using RC4) to hinder static analysis. The malware includes routines for its self-decryption at runtime.