ARC Labs delved into the intricacies of the Wineloader backdoor, a sophisticated tool used in spearphishing campaigns linked to the notorious APT29 group, also known as NOBELIUM or COZY BEAR.
This analysis aims to provide defenders with detection guidance and specific KQL queries to identify Wineloader activity within Microsoft Sentinel.
Additionally, ARC Labs offers best practices for analyzing obfuscated JavaScript code within HTA files.
Overview of Wineloader
According to the BinaryDefence blog, wineloader is a modular backdoor initially discovered by ZScaler and later reported by Mandiant.
It has been employed in spearphishing campaigns attributed to APT29.
This backdoor facilitates the download of additional tools or modules to an infected host through an encrypted command and control (C2) channel.
Wineloader is believed to be a variant of other tools associated with APT29, such as BurntBatter, BeatDrop, and MuskyBeat.
- WINELOADER Overview: A modular backdoor used in spearphishing campaigns attributed to APT29.
- Phishing Lure: The campaign starts with a phishing email inviting targets to a wine-tasting event hosted by the Ambassador of India.
- Infection Chain: The malicious website downloads a ZIP file containing an obfuscated HTA file with JavaScript code. Executing the HTA file downloads another ZIP file with the Wineloader payload.
- Obfuscation Techniques: The HTA file uses heavily obfuscated JavaScript, including variable renaming and string encoding.
- Execution and Evasion: Wineloader is executed through a malicious DLL sideloaded via sqlwriter.exe.
- Persistence Mechanisms: Wineloader achieves persistence via scheduled tasks or modifying registry keys.
The initial infection chain of Wineloader begins with a phishing email leveraging an invite to a wine-tasting event hosted by the Ambassador of India.
Analyze any MaliciousURL, Files & Emails & Configuration With ANY RUN : Start your Analysis
The PDF redirects the target to a malicious website where the Wine loader infection starts.
The infection chain initiates when the target is redirected to a malicious site that downloads a ZIP file containing a malicious HTA file with heavily obfuscated JavaScript code.
When the user executes the HTA file, the JavaScript code runs, downloading an additional ZIP file containing the Wineloader payload.
ARC Labs analyzed the obfuscated JavaScript to equip defenders with strategies to extract tactical threat intelligence from obfuscated JavaScript payloads.
The JavaScript within the HTA appears to be muddied using an open-source Java obfuscator tool that leverages variable renaming and string encoding to hinder human analysis.
Obfuscation Techniques
JavaScript payloads modified using common obfuscation tools often rely on a replace function that replaces encoded values with their original string value upon execution.
For example, a function named replace could contain an array of hexadecimal encoded strings such as x6ex65x77 (new), x41x63x74x69x76x65x58x4fx62x6ax65x63x74 (ActiveXObject), and x28x27x57x73x63x72x69x70x74x2ex53x68x65x6cx6cx27x29 (Wscript.Shell).
Defenders can extract valuable threat intelligence from obfuscated JavaScript payloads by looking for arrays of obfuscated data stored within a function that is repeatedly called when setting variable values within the payload.
This same obfuscation technique is used within the Wineloader HTA sample analyzed by ARC Labs.
Wineloader Execution
In the deobfuscated JavaScript, the HTA file performs pre-checks before continuing with the next stages of infection.
ARC Labs modified the script to make it appear as though the remote host was alive, allowing the infection to continue.
Recreating the full infection chain revealed the direct code launching through mshta.exe without needing an additional process.
Mshta.exe is a legitimate Windows program that executes HTML files. It aids in direct defense evasion by limiting the number of processes spawned on the compromised device.
ARC Labs analysis revealed the final stages of the infection chain included downloading an additional file named text.txt, which was an encoded archive containing sqlwriter.exe and vcruntime140.dll.
Sqlwriter.exe is a legitimate Microsoft application, and vcruntime140.dll is the Wineloader payload.
Sideloading Technique
The malicious DLL is loaded automatically when sqlwriter.exe executes because of the way Microsoft Windows handles locating DLLs referenced by executables in their reference tables.
This technique, known as “sideloading,” allows the malicious DLL to be automatically located first and loaded by the executable.
Once the DLL is sideloaded into sqlwriter.exe, Wineloader attempts to establish persistence on the host by creating a scheduled task for sqlwriter.exe or by establishing registry persistence at the following key:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunMS SQL Writer
After persistence is established, the backdoor sends specific beacon requests to the dedicated command-and-control server to notify persistence completion. At the time of analysis, the specified C2 server was offline, inhibiting any further analysis.
However, as Wineloader is a first-stage backdoor, a second-stage malicious payload would likely be transferred from the command-and-control server to the compromised device.
ARC Labs’ comprehensive analysis of Wineloader provides valuable insights and detection strategies for defenders.
By understanding the infection chain, obfuscation techniques, and persistence mechanisms, organizations can better protect themselves against this sophisticated threat.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo