Wineloader - Analysis of the Infection Chain
Essential information
- Published
- 06/06/2024 08:13
- Modified
- 06/06/2024 08:35
- Tags
- 2024-06-06 backdoor javascript obfuscation persistence sideloading wineloader
- Related entities
- 9 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware
Description
The analysis examines the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine tasting event invitation. Executing the obfuscated HTA file downloads the Wineloader payload, which utilizes sideloading and creates scheduled tasks or registry entries for persistence. Techniques to deobfuscate the JavaScript code are provided to extract valuable intelligence from obfuscated payloads.