Similarities with older APT29 backdoors

While Zscaler did not link the January attack to any APT group, the researchers believed at the time it was the work of a nation-state threat actor looking to exploit diplomatic relations, which is typical of APT29 targeting. Going further, Mandiant has not established clear similarities in design and code to two older backdoors tracked as BURNTBATTER and MUSKYBEAT that are only associated with APT29.

“However, the code family itself is considerably more customized than the previous variants, as it no longer uses publicly available loaders like DONUT or DAVESHELL and implements a unique C2 mechanism,” the researchers said in their analysis. “Additionally, WINELOADER contains the following shared techniques with other code families used by APT29: The RC4 algorithm used to decrypt the next stage payload; process/DLL name check to validate the payload context (in use since early BEATDROP variants) and Ntdll usermode hook bypass (in use since early BEATDROP variants).”

WINELOADER is executed using DLL sideloading techniques into a legitimate Windows executable, which is meant to make detection harder. It then proceeds to decrypt a portion of code using the RC4 cipher. The backdoor is modular, and this code represents the main module which also includes configuration data and the part that communicates with the command-and-control (C2) server.

The malware connects to the server using HTTP with a custom user agent and registration packets inside the requests. The attackers can issue instructions to load additional modules or to establish persistence on the system if they consider the system important enough.

The Mandiant report includes MITRE ATTACK Framework TTPs as well as custom detection rules based on indicators of compromise.