Notorious Russian threat group Midnight Blizzard has been mixing up its attack methods in recent months, according to analysis from Check Point, including targeting European diplomats with the lure of luxury events.
In a blog post detailing the campaign, researchers said the threat group has been targeting European governments and diplomats since January this year.
The campaign saw hackers impersonate a “major European Ministry of Foreign Affairs” and target victims with phishing emails inviting them to a wine tasting event.
Malicious emails curated by the group contained a link to deploy a backdoor dubbed ‘GRAPELOADER’, researchers added.
“The emails contained a malicious link that led, in some cases, to the download of an archive, eventually leading to the deployment of GRAPELOADER,” the blog post reads.
“In other cases, the link in the phishing emails redirects to the official website of the impersonated Ministry of Foreign Affairs.”
The malicious emails in question were sent from two distinct domains, according to Check Point - bakenhof[.]com and silry[.]com - and sought to mimic legitimate communications from a particular individual in the fake Ministry of Foreign Affairs.
When the target clicks the malicious link, this initiates the download of an archive dubbed ‘wine.zip’ which sets the next stage of attack in motion. This archive contained three files, including:
- A legitimate PowerPoint executable, ‘wine.exe’, which the group exploited for DLL side loading.
- A hidden DLL, ,AppvIsvSubsystems64.dll’, which researchers said serves as a “required dependency for the PowerPoint executable to run
- Another “hidden and heavily obfuscated” DLL, ppcore.dll, which functions as a loader and used to deliver the payload in later phases of the attack
Once wine.exe is executed and the GRAPELOADER DLL is side-loaded, researchers explained the malware copies contents of the wine.zip archive to a new location on the device disk.
“It then gains persistence by modifying the Windows registry’s Run key, ensuring that wine.exe is executed automatically every time the system reboots,” the blog post noted.
“Next, GRAPELOADER collects basic information about the infected host, such as the host name and username. This collected data is then sent to the Command and Control (C2) server, where it waits for the next-stage shellcode to be delivered.”
Sound familiar? You’re not far off
If you’re wondering why this sounds familiar, it’s because a similar campaign has already been carried out by the Midnight Blizzard.
Last year, the threat group targeted German politicians with fake invitations to a dinner reception using malware dubbed ‘WINELOADER’. This latest campaign, Check Point revealed, is a continuation of that previous flurry of attacks.
In this instance, GRAPELOADER is designed specifically for the initial stages of an attack.
“It is primarily used for fingerprinting the infected environment, establishing persistence, and retrieving the next-stage payload,” researchers said.
Detailed analysis of both show that they share a range of similarities, particularly with regard to code structure, obfuscation techniques, and string decryption processing, the company added.
Notably, Check Point revealed this particular campaign also included a new variant of WINELOADER being used in conjunction with GRAPELOADER, which suggests “codebase overlaps or shared development tactics”.
This new variant displayed improved stealth and evasion techniques, which researchers warned will muddle detection efforts.
Midnight Blizzard doesn’t quit
Midnight Blizzard, also known as Cozy Bear, is among the most active and aggressive threat groups operating globally. With links to the Russian government, the group has been identified as the culprit behind a raft of breaches in recent years, including an attack on Microsoft which saw email communications compromised.
This particular attack saw the group reportedly use password spraying techniques to compromise a legacy account. In the wake of the incident, Microsoft revealed the group was able to access a “very small percentage” of corporate email accounts.
Some of these accounts belonged to members of the tech giant’s senior leadership team, as well as staff from its security and legal teams.
MORE FROM ITPRO
- HPE alerts affected staff after Midnight Blizzard breach
- Sneak-and-peek Midnight Blizzard attack highlights “worrying flaws” in Microsoft security processes
- Midnight Blizzard is on the rampage again, and enterprises should be wary of its new tactics
-
Global IT spending set to exceed $6 trillion in 2026News Several key areas are expected to drive the bulk of investment next year
-
Data engineers have never been more important, as businesses are starting to find outNews An MIT survey for Snowflake shows the changing role of data engineers – and their rise in influence
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victims
News Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
