From Water to Wine: An Analysis of WINELOADER | Splunk

Summary: This content discusses the APT29 campaign targeting political parties using the WINELOADER backdoor, providing detailed analysis of the TTPs employed by APT29 and offering detection and response strategies.

Threat Actor: APT29 | APT29
Victim: Political parties | political parties

Key Point :

  • The APT29 campaign involves the use of the WINELOADER backdoor to target political parties.
  • The Splunk Threat Research Team has developed an Atomic Red Team test and released a new analytic story to help organizations detect and respond to this threat.
  • Security teams should stay informed and enhance their detection capabilities to protect against sophisticated threats like APT29.

The simplified version of this python tool is available here.

IOC

FileName

SHA256

vcruntime140.dll

72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4

d0a8fa332950b72968bdd1c8a1a0824dd479220d044e8c89a7dea4434b741750

YARA Rule:

import "pe"
rule possible_wine_loader_export_function {
    meta:
        author =  "@tccontre18 - Br3akp0int"
        description = "possible wine loader export function setup code"
        date =  "2024-04-03"
        sha256 = "72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4"
    strings:
        $exp_loader = {48 83 EC 08 48 8D 0D ?? ?? ?? ?? 48 C7 C2 28 80 00 00 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 C7 05 ?? ?? ?? ?? ?? ?? 00 00 48 C7 05 ?? ?? ?? ?? 28 80 00 00 E8 ?? ?? 00 00 48 83 C4 08 C3}
    condition:
        uint16(0) == 0x5a4d and $exp_loader and pe.number_of_exports != 0 
    }

Splunk Security Content

The Splunk Threat Research Team has released a new analytic story covering this campaign. Below is a breakdown of the related security content.

Figure 08: Security Content Detection Coverage

Windows MSHTA Writing to World Writable Path

This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. 

Starting on February 26, 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, using obfuscated JavaScript, downloads a file named `invite.txt` to the `C:WindowsTasks` directory. This file is then decoded and decompressed to execute a malicious payload

`sysmon` EventCode=11 Image="*mshta.exe" TargetFilename IN ("*WindowsTasks*", "*WindowsTemp*", "*Windowstracing*", "*WindowsPLAReports*", "*WindowsPLARules*", "*WindowsPLATemplates*", "*WindowsPLAReportsen-US*", "*WindowsPLARulesen-US*", "*WindowsRegistrationCRMLog*", "*WindowsSystem32Tasks*", "*WindowsSystem32Comdmp*", "*WindowsSystem32LogFilesWMI*", "*WindowsSystem32MicrosoftCryptoRSAMachineKeys*", "*WindowsSystem32spoolPRINTERS*", "*WindowsSystem32spoolSERVERS*", "*WindowsSystem32spooldriverscolor*", "*WindowsSystem32TasksMicrosoftWindowsRemoteApp and Desktop Connections Update*", "*WindowsSysWOW64Tasks*", "*WindowsSysWOW64Comdmp*", "*WindowsSysWOW64TasksMicrosoftWindowsPLA*", "*WindowsSysWOW64TasksMicrosoftWindowsRemoteApp and Desktop Connections Update*", "*WindowsSysWOW64TasksMicrosoftWindowsPLASystem*")
 | rename Computer as dest, User as user
 | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`

(Get this content: Windows MSHTA Writing to World Writable Path.)

CertUtil with Decode Argument

CertUtil.exe may be used to `encode` and `decode` a file, including portable executables and script code. Malicious usage will include decoding an encoded file that was downloaded.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
 as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode*
 by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
 Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`

(Get this content: CertUtil with Decode Argument.)

Windows SQLWriter SQLDumper DLL Sideload

This analytic identifies the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. This technique is commonly used by adversaries to load malicious code into a legitimate process. The analytic:

  • Searches for EventCode 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll. 
  • Filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives.
`sysmon` EventCode=7 (Image="*SQLDumper.exe" OR Image="*SQLWriter.exe") ImageLoaded="*vcruntime140.dll" NOT ImageLoaded="C:WindowsSystem32*" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`

(Get this content: Windows SqlWriter SQLDumper DLL Sideload.)

Windows Unsigned MS DLL Side-Loading

The following analysis identifies potential DLL side-loading instances involving unsigned DLLs with a company detail signature mimicking Microsoft. This technique is frequently exploited by adversaries to execute malicious code automatically by running a legitimate process. 

The analytics involves:

  • Searching Sysmon logs for Event Code 7,  where both the `Image` and `ImageLoaded` paths do not match system directories (`system32`, `syswow64`, and `programfiles`). 
  • Verifying whether the loaded DLL is signed and checking if the folder paths of the `Image` and `ImageLoaded` are identical. 

This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that load unsigned DLLs. Add other paths based on org hunting.

`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid 
  NOT (Image IN("C:WindowsSystem32*", "C:WindowsSysWow64*", "C:Program Files*")) 
  NOT (ImageLoaded IN("C:WindowsSystem32*", "C:WindowsSysWow64*", "C:Program Files*")) 
  | rex field=Image "(?<ImageFolderPath>.+)"
  | rex field=ImageLoaded "(?<ImageLoadedFolderPath>.+)"
  | where ImageFolderPath = ImageLoadedFolderPath
  | stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus
  | rename Computer as dest 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_unsigned_ms_dll_side_loading_filter`'


Summary

APT29 has launched a new campaign targeting political parties using the WINELOADER backdoor. Our detailed analysis of the TTPs employed by APT29, focused on the initial access stage and the WINELOADER malware itself. To help organizations detect and respond to this threat, The Splunk Threat Research Team has: 

  • Developed an Atomic Red Team test. 
  • Released a new analytic story. 

As APT29 continues to evolve, it is important for security teams to stay informed and enhance their detection capabilities to protect against sophisticated threats.

Learn More

Visit research.splunk.com to view the Splunk Threat Research Team’s complete security content repository. You can implement this content using the Enterprise Security Content Updates app or the Splunk Security Essentials app.

We would like to thank Teoderick Contreras and Michael Haag for authoring this post and the entire Splunk Threat Research Team for their contributions. 

References

Source: https://www.splunk.com/en_us/blog/security/wineloader-analysis.html


“An interesting youtube video that may be related to the article above”