Notorious Russian hackers target government officials with fake dinner invitations
Russian hackers have been observed impersonating a major German political party in an attempt to infect other political subjects in the country with malware that can steal sensitive information and more.
Cybersecurity researchers at Mandiant reported that they detected a copy of a phishing email sent by a Russian state-sponsored threat actor known as APT29, which was previously associated with the Russian Foreign Intelligence Service (SVR) and attributed to some of the larger cyber attacks in recent years, including the disastrous 2020 SolarWinds attack.
The email imitates the Christian Democratic Union (CDU), one of Germany’s largest political parties, whose prominent members include Angela Merkel, who served as Chancellor for about 16 years and was widely considered one of the most influential politicians in the world.
War effort
From February 2024, the campaign will invite members of other political parties for dinner, including a link to an external page. A ZIP archive of the Rootsaw malware dropper will be placed on that page. This dropper, if executed, will deploy a backdoor called WineLoader.
WineLoader was first discovered in February, BleepingComputer reports, when Zscaler security researchers found fake invitations to a wine tasting.
While it is safe to assume that WineLoader is an infostealer used in cyber espionage campaigns, it also appears to be much more than that. It’s a modular piece of malware that can probably do many more things depending on the requirements of each individual campaign.
Before WineLoader targeted German political entities, it was seen in the Czech Republic, India, Italy, Latvia and Peru.
Russia has been at war with Ukraine for more than two years, and most of Western Europe sided with Ukraine, providing aid in military equipment and other logistics. Although not yet confirmed, it is safe to assume that this campaign is also part of the Russian war effort.