The notorious Cozy Bear hacking group, allegedly linked to Russia’s Foreign Intelligence Service (SVR), has redirected its attention towards German political parties by executing a cybercriminal campaign that launches the WineLoader malware.
The group’s shift in tactics indicates a potential move to influence or monitor political processes, possibly aligned with broader geopolitical objectives.
Cozy Bear executes a phishing campaign that would infect German political entities with the WineLoader malware.
Cozy Bear has initiated a phishing campaign against German political entities since late February 2024, using the WineLoader malware as their primary malware. Reports revealed that the attackers are employing sophisticated phishing tactics, impersonating the Christian Democratic Union (CDU), a prominent political party in Germany.
In addition, a research group observed these phishing emails masquerading as dinner invitations from the CDU. These emails contain links to external pages that hold ZIP archives carrying the WineLoader malware. Once executed, WineLoader provides its operators remote access to compromised systems, granting threat actors control over targeted devices and networks.
Interestingly, a separate researcher identified a threat group earlier this year that deployed the WineLoader in phishing schemes posing as invitations to wine-tasting events for diplomats. Despite similar malware variants associated with Cozy Bear, WineLoader displays a more refined and customised approach, featuring encrypted communication channels for data exchange with C2 servers. This detail suggests that WineLoader has become the malware of choice for various threat actors.
WineLoader utilises sophisticated tactics such as RC4 decryption and DLL side-loading to bypass detection, exploiting legitimate Windows executables. Subsequently, this malware exfiltrates critical system information to C2 servers, facilitating further espionage activities.
While specific details regarding WineLoader’s capabilities remain undisclosed, its modular design suggests various potential espionage activities that benefit Cozy Bear’s objectives. This latest development shows APT29’s relentless pursuit of advanced technical capabilities to breach and compromise targeted entities.
The shift towards targeting political parties highlights the group’s evolving strategic objectives, raising concerns about potential interference in political processes and wider geopolitical consequences.
