Russian hackers have been observed impersonating a major German political party in an attempt to infect other political subjects in the country with malware capable of stealing sensitive information, and more.
Cybersecurity researchers from Mandiant reported detetcing a copy of a phishing email sent from a Russian state-sponsored threat actor known as APT29, which has previously been linked with Russia’s Foreign Intelligence Service (SVR), and attributed to some of the bigger cyberattacks in recent years, including the disastrous SolarWinds attack from 2020.
The email impersonates the Christian Democratic Union (CDU), one of Germany’s largest political parties whose prominent members include, among others, Angela Merkel, who served as the Chancellor for roughly 16 years, and was widely considered among the most influential politicians globally.
War effort
Starting in February 2024, the campaign invites members of other political parties to a dinner party, and comes with a link to an external page. That page drops a ZIP archive of the Rootsaw malware dropper. This dropper, if executed, will deploy a backdoor called WineLoader.
WineLoader was first discovered in February, BleepingComputer reports, when security researchers from Zscaler found fake invitations to a wine-tasting event.
While it’s safe to assume WineLoader is an infostealer used in cyber-espionage campaigns, it also seems to be much more than that. It’s a modular piece of malware that can probably do many more things, depending on each individual campaign’s requirements.
Before targeting German political entities, WineLoader was seen in the Czech Republic, India, Italy, Latvia, and Peru.
Russia has been at war with Ukraine for more than two years, and most of Western Europe sided with Ukraine, providing assistance in military equipment and other logistics. While not confirmed, it’s safe to assume this campaign is also part of the Russian war effort.
+ There are no comments
Add yours