Keypoints
- APT29 targeted political parties using the WINELOADER backdoor delivered via phishing campaigns and a ROOTSAW dropper.
- Initial access involved phishing attachments that led to a compromised site downloading an obfuscated JavaScript dropper which writes a file named invite.txt to C:WindowsTasks.
- The ROOTSAW dropper uses obfuscated JavaScript to download, decode, and decompress invite.txt to execute the payload.
- Adversaries abused signed binaries and side‑loading, specifically SQLWriter/SQLDumper loading a non-System vcruntime140.dll to execute malicious code.
- Common living-off-the-land binaries were used: mshta.exe was observed writing to world-writable directories and certutil.exe was used with decode arguments to decode downloaded files.
- Splunk released analytic detections (mshta world-writable writes, certutil decode, Sysmon EventCode 7 for vcruntime140.dll loads, and unsigned MS DLL side-loading heuristics) plus an Atomic Red Team test to validate defenses.
- Researchers published a YARA rule targeting the WINELOADER export function and provided sample hashes and a simplified Python extractor for analysis.
MITRE Techniques
- [T1218.005] Signed Binary Proxy Execution (mshta) – mshta.exe was used to write files to world‑writable directories to stage or execute payloads ( ‘This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories’ ).
- [T1218] Signed Binary Proxy Execution (certutil) – certutil.exe was used with decode arguments to decode downloaded files including executables or scripts ( ‘CertUtil with Decode Argument’ ).
- [T1574.001] DLL Search Order Hijacking – adversaries sideloaded vcruntime140.dll via SQLDumper.exe/SQLWriter.exe to load malicious code into a legitimate process ( ‘abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library.’ ).
- [T1566.001] Phishing: Attachment – phishing attachments were distributed that led to download and execution of the ROOTSAW dropper from a compromised website ( ‘distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website.’ ).
- [T1027] Obfuscated Files or Information – the ROOTSAW payload used obfuscated JavaScript to hide its behavior ( ‘using obfuscated JavaScript’ ).
- [T1140] Deobfuscate/Decode Files or Information – the downloaded invite.txt file was decoded and decompressed to produce and execute the malicious payload ( ‘This file is then decoded and decompressed to execute a malicious payload’ ).
- [T1105] Ingress Tool Transfer – the attack chain involved downloading a file (invite.txt) to C:WindowsTasks from a compromised site ( ‘downloads a file named `invite.txt` to the `C:WindowsTasks` directory.’ ).
- [T1036] Masquerading – attackers used unsigned DLLs presenting Microsoft company details to masquerade as legitimate Microsoft components ( ‘unsigned DLLs with a company detail signature mimicking Microsoft’ ).
Indicators of Compromise
- [FileName] sideloaded library – vcruntime140.dll (used in SQLWriter/SQLDumper side-loading detections).
- [SHA256] malicious DLL hashes – 72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4, d0a8fa332950b72968bdd1c8a1a0824dd479220d044e8c89a7dea4434b741750 (hashes attributed to the vcruntime140.dll samples in the article).
- [FileName] dropped artifact – invite.txt – downloaded to C:WindowsTasks, then decoded and decompressed to execute a payload.
- [YARA] detection metadata – YARA rule possible_wine_loader_export_function includes the SHA256 “72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4” and a signature pattern targeting the export loader setup code.
APT29’s chain begins with phishing attachments that direct victims to a compromised site hosting a ROOTSAW dropper. The dropper delivers obfuscated JavaScript which downloads a file named invite.txt into C:WindowsTasks; that file is then decoded and decompressed to spawn the malicious payload, illustrating combined use of T1566.001 (phishing), T1027 (obfuscation), T1105 (ingress), and T1140 (decode/decompress) behaviors.
Post‑execution techniques observed include living‑off‑the‑land execution and DLL sideloading: mshta.exe was used to write to world‑writable directories to stage files (detected via Sysmon EventCode=11 searches), certutil.exe was used with decode arguments to convert downloaded content into executable form, and adversaries sideloaded a malicious vcruntime140.dll via SQLDumper/SQLWriter to run code inside a legitimate process (detected via Sysmon EventCode=7 filtering out System32 loads).
Detection guidance supplied by Splunk focuses on these behaviors: alerts for mshta writing to non-standard/world‑writable paths, searches for certutil usage with decode arguments, Sysmon EventCode=7 detections for vcruntime140.dll loads outside System32, and heuristics for unsigned DLLs claiming Microsoft company details. Researchers also published a YARA rule targeting the WINELOADER export setup and shared a simplified Python extractor to aid analysis and hunting.
Read more: https://www.splunk.com/en_us/blog/security/wineloader-analysis.html