By NewsBlogger The article discusses the escalation of cyberattacks by APT29, a Russian hacking group targeting German political parties with sophisticated malware. It also discusses the emergence of AcidPour, a data-wiping malware with potential ties to Russian military intelligence, highlighting the need for enhanced cybersecurity measures to counter evolving threats.
At a glance
- APT29, also known as Cozy Bear, has escalated cyberattacks targeting political parties in Germany.
- The latest phishing campaign involves sending emails disguised as dinner invitations from the Christian Democratic Union (CDU) containing malware.
- The Rootsaw malware deployed by APT29 downloads and installs the WineLoader backdoor on the victim’s computers.
- WineLoader is a sophisticated malware that establishes encrypted communication with a C2 server and can execute various espionage activities.
- AcidPour, a data-wiping malware with ties to Russian military intelligence, has raised concerns about attacks on Ukrainian telecom providers.
The details
Recently, there has been a concerning escalation in cyberattacks attributed to APT29, a Russian espionage hacking group believed to be linked to the Russian Foreign Intelligence Service (SVR). APT29, also known as Cozy Bear, has a history of engaging in various cyberattacks, including the notorious SolarWinds supply chain attack that occurred in December 2020. However, the group has now shifted its focus towards targeting political parties in Germany, moving away from its previous emphasis on diplomatic missions.
The latest phishing campaign orchestrated by APT29 against German political parties commenced in late February 2024. The phishing emails, disguised as dinner invitations from the Christian Democratic Union (CDU), contain a link to a ZIP archive housing the ‘Rootsaw’ malware dropper.
Once executed, the Rootsaw malware downloads and deploys the WineLoader backdoor on the victim’s computer.
WineLoader
WineLoader, previously identified in phishing attacks impersonating invites to diplomats for a wine-tasting event, establishes an encrypted communication channel with the command and control (C2) server.
Notably, WineLoader is a sophisticated and modular malware that employs decryption using RC4 and DLL side-loading to evade detection.
It can execute various espionage activities as instructed by the C2, including establishing persistence on compromised systems.
The customization and non-standard approach of WineLoader underscore APT29’s advanced capabilities in cyber operations.
AcidPour
In a separate development, the emergence of AcidPour, a data-wiping malware with potential ties to Russian military intelligence, has raised concerns about attacks on Ukrainian telecom providers.
AcidPour is considered a variant of the destructive AcidRain malware, specifically targeting Linux systems running on x86 architecture, and it possesses expanded capabilities to disable devices.
The coding similarities between AcidPour, AcidRain, and CaddyWiper suggest a common origin within a hacking crew identified as UAC-0165.
Ukraine’s Computer Emergency Response Team has implicated UAC-0165 in attacks on telecommunication service providers, with the Russian APT group Solntsepyok claiming responsibility for infiltrating four telecom operators in Ukraine and disrupting their services.
While it remains uncertain if AcidPour was utilized in the recent attacks, the implications of evolving tactics by threat actors highlight the pressing need for enhanced cybersecurity measures to mitigate operational disruptions and safeguard critical infrastructure.
The convergence of these cyber threats underscores the increasing sophistication and brazenness of state-sponsored hacking groups, necessitating a coordinated and robust response from international cybersecurity communities to counter and neutralize such threats effectively.
Article X-ray
Sources
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| securityweek.com |
|---|
| – APT29 is a Russian espionage hacking group believed to be linked to the Russian Foreign Intelligence Service (SVR) – APT29 has been involved in various cyberattacks, including the SolarWinds supply chain attack in December 2020 – The group has shifted its focus to targeting political parties in Germany, moving away from diplomatic missions – The phishing attacks deploy a backdoor malware named WineLoader to gain remote access to compromised devices and networks – APT29 has targeted cloud services, breached Microsoft systems, and compromised MS Office 365 email environments – The recent phishing campaign against German political parties began in late February 2024 – The phishing emails pretend to be dinner invitations from the Christian Democratic Union (CDU) and contain a link to a ZIP archive with the ‘Rootsaw’ malware dropper – The Rootsaw malware downloads and executes the WineLoader backdoor on the victim’s computer – WineLoader was previously discovered in phishing attacks pretending to be invites to diplomats for a wine-tasting event – WineLoader establishes an encrypted communication channel with the command and control (C2) server – The malware is modular and customized, does not use off-the-shelf loaders, and can execute various espionage activities – WineLoader is decrypted using RC4 and loaded into memory via DLL side-loading to evade detection – The C2 can order the execution of modules to perform specific tasks, such as establishing persistence – APT29’s shift to targeting political parties may suggest an intent to influence or monitor political processes |
| bleepingcomputer.com |
|---|
| – AcidPour is a data wiping malware that may have been used in attacks on four telecom providers in Ukraine |
| – The malware has connections to AcidRain and Russian military intelligence – AcidPour targets Linux systems running on x86 architecture and has expanded capabilities to disable various devices – AcidPour is a variant of AcidRain, which was used to cripple Ukraine’s military communications – Both AcidRain and AcidPour use similar methods for wiping directories and reboot calls – AcidPour has a coding style similar to CaddyWiper and is attributed to a hacking crew known as UAC-0165 – The Computer Emergency Response Team of Ukraine implicated UAC-0165 in attacks on telecommunication service providers – Solntsepyok, a Russian APT group, claimed to have infiltrated four telecom operators in Ukraine and disrupted their services – Solntsepyok has been accused of hacking into Kyivstar’s systems in the past – It is unclear if AcidPour was used in the recent attacks, but the discovery suggests threat actors are refining their tactics to cause significant operational impact. |
