A Familiar Tactic Resurfaces

The Kremlin's cyber espionage group, Cozy Bear, also known as APT 29, is back in action, this time attempting to ensnare European diplomats into downloading malware under the guise of a lavish wine-tasting event. This isn’t the first time they’ve used such tactics; last year’s ploy involved fake dinner invitations to German politicians, featuring malware hidden within.

A Deceptive Invitation

Recently, cybersecurity experts at Check Point have unveiled that Cozy Bear is sending out emails masquerading as official notices from an unnamed European Ministry of Foreign Affairs. These invitations are luring diplomats across the continent to a supposed high-profile gathering. If the invitations go unanswered, the attackers follow up with additional emails, cleverly crafted with subject lines such as "Wine Tasting Event (Update Date)" and "For Ambassador’s Calendar," enticing recipients to click the link leading to a malicious download.

How the Malware Works

The link directs targets to a remote server, expertly crafted to evade detection by security systems. The malware, dubbed Grapeloader, is hidden within an archive labeled 'wine.zip.' Depending on the situation, the link might connect users to a legitimate embassy webpage, which adds to the confusion.

Inside the 'wine.zip' archive are three key components: a legitimate PowerPoint executable named 'wine.exe,' which is compromised for DLL side-loading; a bloated and hidden DLL known as 'AppvIsvSubsystems64.dll' that merely serves as a dependency; and a highly obfuscated DLL called 'ppcore.dll' that carries out the functions of the Grapeloader.

A Digital Intruder

Once activated, Grapeloader embeds itself onto the victim’s PC, alters the Windows Registry for persistence, scans for sensitive data like usernames and computer names, and meticulously checks in with a Cozy Bear command-and-control server every minute for further instructions or updated malware.

The Evolution of Wineloader

The new iteration of Wineloader operates as a sophisticated 64-bit trojanized DLL, amassing valuable information from infected systems. It employs encrypted communication via RC4, enhancing its ability to erase traces of its presence and evade cybersecurity measures. Check Point's analysis strongly suggests that Cozy Bear, tied to Russia's FSB intelligence agency, is orchestrating this latest campaign.

A Legacy of Intrigue

Cozy Bear has a storied history that dates back to the late 2000s, initially developing malware for espionage before evolving into targeted attacks against organizations like the Democratic National Committee and even the US State Department. Their operations were exposed when Dutch hackers managed to infiltrate their surveillance systems.

Today, Cozy Bear continues to serve the Kremlin's interests, even attempting to compromise COVID-19 vaccine research. Clearly, the allure of a glamorous invitation still proves effective in their elaborate cybersecurity games.