SPIKEDWINE Targets Diplomats: Europe Under Cyber Attack

An obscure hacking collective, christened SPIKEDWINE, has launched attacks against diplomats across several European nations where Indian diplomatic missions are operational. To achieve their nefarious objectives, the culprits have deployed a novel malicious backdoor dubbed WINELOADER.

This revelation comes from a report by Zscaler ThreatLabz. According to their findings, the attackers dispatched PDF files to embassy staff, purportedly on behalf of the Indian ambassador. These correspondences contained invitations to a wine-tasting event scheduled for February 2, 2024.

One such PDF document was uploaded to VirusTotal on January 30, 2024, from Latvia. Moreover, there is reason to believe that the campaign may have commenced as early as July 6, 2023, as evidenced by the detection of another similar PDF from the same country.

“The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure,” noted security researchers Sudeep Singh and Roy Tay.

Obfuscated JavaScript code inside the HTA file

The PDF files harbored malicious links disguised as surveys. Recipients were requested to fill out a questionnaire to participate in the event. Following these links triggered the download of an HTML application (“wine.hta”) with obfuscated JavaScript code, designed to retrieve an encrypted ZIP archive containing the WINELOADER malware from the same domain.

The core of WINELOADER includes a module that downloads additional elements from a command server. It also integrates itself into third-party DLL libraries and reduces the time interval between sending requests.

A hallmark of these cyberattacks is the exploitation of compromised websites as command servers and for hosting malicious software. It is presumed that the command servers only accept requests from the malware at specific times and via a special protocol, rendering the attacks more covert and difficult to detect.

As the researchers highlight, the hackers have exerted considerable effort to cover their tracks. In particular, they have shunned actions that could draw the attention of memory analysis systems and automated URL scanning.