{ "Event": { "analysis": "0", "date": "2024-06-04", "extends_uuid": "", "info": "[Fireeye] APT29 Uses WINELOADER to Target German Political Parties", "protected": false, "publish_timestamp": "0", "published": false, "threat_level_id": "4", "timestamp": "1718785033", "uuid": "665ee410-9c20-44dd-8692-02de0abe1822", "Orgc": { "name": "CERT-FR", "uuid": "56bdf779-46f8-4353-bdf9-2bb95bce2212" }, "Tag": [ { "colour": "#f89595", "local": false, "name": "fr-classif:non-classifiees=\"NON-CLASSIFIEES\"", "relationship_type": "" }, { "colour": "#007350", "local": false, "name": "cert-fr:fiabilite=\"Moderee\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "PAP:CLEAR", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1718642252", "to_ids": true, "type": "comment", "uuid": "66cb2571-00c8-47de-a087-ccbdc269a8c0", "value": "Phishing emails were sent using German-language lure content and bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany.\r\n\r\nThe German-language lure document contains a phishing link directing victims to an actor-controlled compromised website hosting a malicious ZIP file containing a dropper. The dropper uses https://github.com/javascript-obfuscator/javascript-obfuscator and deliver a second-stage CDU-themed lure document and the next stage payload (WINELOADER).\r\n\r\nThe payload is decoded using Windows Certutil, then decompressed using tar. Finally, the legitimate Windows binary SqlDumper.exe is executed by the actor.", "Tag": [ { "colour": "#00af7a", "local": false, "name": "DescriptionTechnique", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1717494800", "to_ids": true, "type": "url", "uuid": "c6a319c6-3542-46ef-9b8e-a21e4709659d", "value": "https://waterforvoiceless.org/invite.php" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1717494800", "to_ids": true, "type": "url", "uuid": "3aaac9e7-a556-4aba-8888-33745522a6c0", "value": "https://waterforvoiceless.org/util.php*" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1717494800", "to_ids": true, "type": "url", "uuid": "fe4438fc-6e0f-490d-a82c-c73ac3a59ee0", "value": "https://siestakeying.com/auth.php" } ], "Object": [ { "comment": "Second CDU-themed PDF lure document", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1717494800", "uuid": "5038f8ec-c9c8-483a-a62d-cbab5b114c0d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1717494800", "to_ids": true, "type": "filename", "uuid": "61035480-d703-4caf-b0dc-1a181a1be7b2", "value": "Invite.pdf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1717494800", "to_ids": true, "type": "md5", "uuid": "571ae203-b9ef-40ce-a425-7632a08ee6dc", "value": "fb6323c19d3399ba94ecd391f7e35a9c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1717494800", "to_ids": true, "type": "sha1", "uuid": "e7454c95-a7f4-4591-99f6-f21b5ecaac80", "value": "4ba7167006d8814ba68f4c9b11c7dd202cf5f1ce" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1717494800", "to_ids": true, "type": "sha256", "uuid": "a4fe0505-177a-4430-b0dc-423497824762", "value": "cc759597a4cc8d90ac79b9bac2eecd31ca86e76f1b9e89306aedb902e6b030fa" } ] }, { "comment": "Zip file containing ROOTSAW", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1717494800", "uuid": "6f19d088-8b7c-4039-803f-7b8de5ae6668", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1717494800", "to_ids": true, "type": "filename", "uuid": "9485654a-3450-4b81-8563-43cd203e400c", "value": "invite.php" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1717494800", "to_ids": true, "type": "md5", "uuid": "9e783bb9-3565-4883-aff5-0795524d1343", "value": "7a465344a58a6c67d5a733a815ef4cb7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1717494800", "to_ids": true, "type": "sha1", "uuid": "d5789462-d89c-4cee-8a3b-d8fca3791d52", "value": "30b2eb1fe6130b5a7f96ab208385d1c85d3ea657" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1717494801", "to_ids": true, "type": "sha256", "uuid": "627e4f5f-0c22-41c9-82bb-b7cc2ea8ef97", "value": "da72f270c60e07101368dfa087ad675ccaf0d5f167cc5cb50629a3ffa4e5399b" } ] }, { "comment": "ROOTSAW downloader containing obfuscated code", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1717494801", "uuid": "0e61daa8-74a8-462c-b66b-98272a54c6ef", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1717494801", "to_ids": true, "type": "filename", "uuid": "d074456e-1267-45e5-b4d9-8f6986d9d519", "value": "invite.hta" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1717494801", "to_ids": true, "type": "md5", "uuid": "8a36e44c-598d-4d9b-81e0-1a8ca1851f10", "value": "efafcd00b9157b4146506bd381326f39" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1717494801", "to_ids": true, "type": "sha1", "uuid": "4382cc5d-1dee-4af4-b9fb-a0a95352472f", "value": "5b6b25012fa541a227e1c20d9f3004ce4e7d4aee" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1717494801", "to_ids": true, "type": "sha256", "uuid": "be66a2ad-6f1b-497b-9419-aa33389c1738", "value": "a0f183ea54cb25dd8bdba586935a258f0ecd3cba0d94657985bb1ea02af8d42c" } ] }, { "comment": "Malicious certificate file, extracted using Windows Certutil", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1717494801", "uuid": "e2b938a2-fd32-48c4-bab2-3d06206d6a6b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1717494801", "to_ids": true, "type": "filename", "uuid": "70ba40e8-e984-4ca9-b491-62fb0b93c47e", "value": "invite.txt" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1717494801", "to_ids": true, "type": "md5", "uuid": "6c88b8d6-cde6-42f3-8fa3-e0f6b68691bf", "value": "44ce4b785d1795b71cee9f77db6ffe1b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1717494801", "to_ids": true, "type": "sha1", "uuid": "0ff6c46f-be0c-4eb8-a003-1009a5979cbc", "value": "2ad6101ad3396873dbd4de10beb9d9caaa5950bc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1717494801", "to_ids": true, "type": "sha256", "uuid": "caca08e4-3935-46aa-93fd-ef5ca3ce8340", "value": "6c6f005bf3c3faa9e8d58871d7cbc8deeaa593193267cb174acb3ac2eb11876f" } ] }, { "comment": "WINELOADER downloader", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1717494801", "uuid": "8fe82483-0a48-4344-acda-1edb48459b98", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1717494801", "to_ids": true, "type": "filename", "uuid": "e3290b89-ba3c-4530-a262-063a555bf4cd", "value": "vcruntime140.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1717494801", "to_ids": true, "type": "md5", "uuid": "b76f5a52-43f0-410e-aa90-f0c3afd0c441", "value": "8bd528d2b828c9289d9063eba2dc6aa0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1717494801", "to_ids": true, "type": "sha1", "uuid": "aecb5b13-8fde-4b60-a5c0-196ac3e22afe", "value": "5d3f3113ef76af7c1a2447d35e8b09bd270b461e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1717494801", "to_ids": true, "type": "sha256", "uuid": "9b4c4c3d-3c2b-4400-8d89-688ee06fcb5e", "value": "d0a8fa332950b72968bdd1c8a1a0824dd479220d044e8c89a7dea4434b741750" } ] }, { "comment": "WINELOADER downloader", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1717494801", "uuid": "7dd0689b-9e84-4158-b0c9-05674f99de6e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1717494801", "to_ids": true, "type": "filename", "uuid": "8767096c-9e38-4842-80b2-0d4a133cc26c", "value": "Vcruntime140.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1717494801", "to_ids": true, "type": "md5", "uuid": "fe8c1a5f-ed73-43bc-82e7-4008f987c7e9", "value": "8bd528d2b828c9289d9063eba2dc6aa0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1717494801", "to_ids": true, "type": "sha1", "uuid": "4a3bc089-18ba-4af8-9532-c11cebd0301f", "value": "5d3f3113ef76af7c1a2447d35e8b09bd270b461e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1717494801", "to_ids": true, "type": "sha256", "uuid": "c86d81ab-22ac-4f23-ae8e-55c8894ead34", "value": "d0a8fa332950b72968bdd1c8a1a0824dd479220d044e8c89a7dea4434b741750" } ] }, { "comment": "Malicious zip containing WINELOADER", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1717494801", "uuid": "691954fc-6ce4-4ad5-bd3b-2362dfec5cb8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1717494801", "to_ids": true, "type": "filename", "uuid": "6fbc0f49-3e33-44b5-bbf0-105dac6d662a", "value": "invite.zip" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1717494801", "to_ids": true, "type": "md5", "uuid": "f0976e5f-8225-474f-bcfd-48261b8e45e6", "value": "5928907c41368d6e87dc3e4e4be30e42" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1717494801", "to_ids": true, "type": "sha1", "uuid": "1d0fa01d-9dc1-4077-a672-d4fa39e1b072", "value": "2a924bceec6098915d2935c7615f07fc000a1f34" } ] } ] } }