Cozy Bear targets EU diplomats with wine-tasting invites (again)

APT29 (aka Cozy Bear, aka Midnight Blizzard) is, once again, targeting European diplomats with fake invitations to wine-tasting events, Check Point researchers have shared.

Cozy Bear uses wine-tastings and dinners as a lure

In early 2024, Zscaler flagged a low-volume phishing campaign aimed at delivering the WINELOADER backdoor to European diplomats. The lure was a PDF file containing a fake invitation letter supposedly send by the Ambassador of India, inviting diplomats to a wine-tasting event.

Around the same time, German political parties were similarly targeted with fake invitations to a dinner reception, apparently sent by the Christian Democratic Union (CDU).

These types of lures are obviously working well enough, as the Cozy Bear hackers – believed to be acting on behalf of Russia’s Foreign Intelligence Service (SVR) – are again using fake invitations to diplomatic events as a pretext to get targets to download malware.

The phishing campaign and the malware

This time around, the phishing emails impersonated the venue where the events were supposedly to be held, and contained an invitation by a major European foreign affairs ministry. The targets were European governments and diplomats.

“Each email contained a malicious link that, when clicked, initiated the download of wine.zip for the next stage of the attack. The domain hosting the link was the same domain used for sending the email. In cases where the initial attempt was unsuccessful, additional waves of emails were sent to increase the likelihood of getting the victim to click the link and compromise his machine,” the researchers noted.

The archive file contained several DLL files, among them a loader – dubbed GRAPELOADER by the researchers – which is though to have been used to download a variant of the WINELOADER modular backdoor.

“In proximity to GRAPELOADER phishing emails, a new variant of the WINELOADER was submitted to VirusTotal. The newly discovered variant shares the same Rich-PE headers and a compilation timestamp closely matching that of AppvIsvSubsystems64.dll, suggesting they were likely part of the same attack flow,” the researchers noted.

“With this information, and the fact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER, we believe that GRAPELOADER ultimately leads to the deployment of WINELOADER.”

GRAPELOADER employs several anti-analysis techniques, creates a Run registry key to assure its persistence on the target machine(s), is able to evade endpoint security solutions, and execute malicious code in-memory.

“As this campaign is highly targeted, using CollectedEnvironmentInfo to fingerprint infected machines, and because the execution of the next-stage payload leaves no persistent traces, we were unable to retrieve the next-stage shellcode,” the researchers concluded.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!