Researchers are warning that a notorious hacking group linked to Russia's Foreign Intelligence Service (SVR) is targeting political parties in Germany for the first time, shifting their focus away from the typical targeting of diplomatic missions.

The phishing attacks are designed to deploy a backdoor malware named WineLoader, which allows threat actors to gain remote access to compromised devices and networks.

APT29 (also known as Midnight Blizzard, NOBELIUM, Cozy Bear) is a Russian espionage hacking group believed to be part of the Russian Foreign Intelligence Service (SVR)

The hacking group has been linked to many cyberattacks, including the infamous SolarWinds supply chain attack in December 2020.

The threat actors have remained active throughout these years, typically targeting governments, embassies, senior officials, and various entities using a range of phishing tactics or supply chain compromises.

APT29's recent focus has been on cloud services, breaching Microsoft systems and stealing data from Exchange accounts, and compromising the MS Office 365 email environment used by Hewlett Packard Enterprise.

Impersonating political parties

Mandiant researchers say that APT29 has been conducting a phishing campaign against German political parties since late February 2024. This marks a significant shift in the hacking group's operational focus, as it's the first time the hacking group has targeted political parties.

The hackers now use phishing emails with a lure themed around the Christian Democratic Union (CDU), a major political party in Germany and currently the second largest in the federal parliament (Bundestag).

The phishing emails seen by Mandiant pretend to be dinner invitations by the CDU that embed a link to an external page that drops a ZIP archive containing the 'Rootsaw' malware dropper.

When executed, the Rootsaw malware downloads and executes a backdoor named 'WineLoader' on the victim's computer.

The WineLoader malware was previously discovered by Zscaler in February, who saw it deployed in phishing attacks pretending to be invites to diplomats for a wine-tasting event.

The WineLoader backdoor features several similarities with other malware variants deployed in past APT29 attacks, such as 'burnbatter', 'myskybeat', and 'beatdrop,' suggesting a common developer.

However, the malware is modular and more customized than previous variants, does not use off-the-shelf loaders, and establishes an encrypted communication channel for data exchange with the command and control (C2) server.

Mandiant's analysts first saw WineLoader in late January 2024 in an operation targeting the Czech Republic, Germany, India, Italy, Latvia, and Peru diplomats. Thus, the particular variant appears to have been the malware of choice for APT29 lately.

To evade detection, WineLoader is decrypted using RC4 and loaded directly into memory via DLL side-loading, abusing a legitimate Windows executable (sqldumper.exe).

Wineloader sends the victim's username, device name, process name, and other information to the C2 to help profile the system.

The C2 can order the execution of modules that can be dynamically loaded to perform specific tasks, such as establishing persistence.

Though Mandiant does not delve into any modules, it is assumed that WineLoader's modular nature allows it to execute a wide range of espionage activities in line with APT29's mission.

APT29 continues demonstrating its advanced technical proficiency and ongoing efforts to develop tools to infiltrate and spy on targeted entities.

The shift to political parties suggests an intent to influence or monitor political processes, possibly reflecting broader geopolitical objectives.