Keypoints
- APT29 sent German‑language phishing emails with a CDU dinner‑invite lure linking to https://waterforvoiceless[.]org/invite.php.
- The landing page delivered a ZIP containing a ROOTSAW HTA downloader (invite.hta) which used obfuscated JavaScript to fetch and write invite.txt, decode via certutil, extract with tar, and execute SqlDumper.exe.
- ROOTSAW then retrieved and executed a malicious ZIP (invite.zip) containing WINELOADER, deployed via DLL side‑loading into a legitimate executable (sqldumper.exe + vcruntime140.dll).
- WINELOADER performs RC4 decryption of an encrypted resource to load a position‑independent shellcode core, contains ~70 encrypted strings, and uses sleep timers and anti‑analysis checks.
- WINELOADER C2 uses HTTP GET requests with a randomized registration packet that includes environment and process information; responses can deliver modules or instruct persistence actions.
- Observed network infrastructure includes waterforvoiceless[.]org (dropper host) and siestakeying[.]com (WINELOADER auth/C2 endpoint); multiple MD5 hashes for staged files and DLLs were published.
- Detection guidance and YARA/rule examples were provided to hunt obfuscated ROOTSAW and WINELOADER behaviors (RC4 decryption stubs, invocation patterns, JS strings).
MITRE Techniques
- [T1566] Phishing – Used an email with a CDU-themed invite linking to a malicious ZIP on “https://waterforvoiceless[.]org/invite.php” [‘phishing campaign targeting German political parties.’]
- [T1204.002] Malicious File/Link – Lure document contained a phishing link directing victims to a malicious ZIP [‘The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper’].
- [T1543/T1543.003] Create or Modify System Process / Windows Service – Actor was reported to configure persistence via a run key after WINELOADER deployment [‘they were able to receive a command to persist WINELOADER which resulted in a run key to be configured on the device.’]
- [T1574] Hijack Execution Flow (DLL Side‑Loading) – WINELOADER is invoked via DLL side‑loading into a legitimate Windows executable (SqlDumper.exe) [‘invoked via a DLL side loading technique into a legitimate Windows executable’].
- [T1027] Obfuscated Files or Information – ROOTSAW and downloader code used JavaScript obfuscation and encoded resources [‘This ROOTSAW variant uses the same JavaScript obfuscation resource… The ROOTSAW payload contains a JSObfuscated payload’].
- [T1071.001] Application Layer Protocol: Web Protocols – WINELOADER communicates using HTTP GET requests for C2 [‘WINELOADER communicates using HTTP GET requests using a user agent contained within the resource.’]
- [T1046 / T1082] System Network/Information Discovery & System Information Discovery – Registration packets include environment info such as username and device name [‘this packet contains environment information like the victim’s username/device name, the process name…’].
- [T1057] Process Discovery – WINELOADER collects process and parent process path information to validate targets [‘the process name and some information that could be used by the actor to determine whether the compromised system is a valid target (parent process path, etc.)’].
- [T1055.003] Process Injection (Thread Execution Hijacking) – C2 responses can task WINELOADER to execute modules within the same process or via injection [‘task the WINELOADER to execute a new module (either within the same process, or via process injection)’].
- [T1005/T1083] Data from Local System / File and Directory Discovery – The loader writes and extracts files to C:WindowsTasks (invite.txt, invite.zip) and enumerates files during staging [‘downloads a file to disk as “invite.txt”, decoding it using Windows Certutil, then decompressing the code using tar…’].
- [T1070.004] Indicator Removal on Host / File Deletion – Article lists file deletion techniques as part of the observed behavior [‘File Deletion’].
Indicators of Compromise
- [Domain] Dropper/C2 infrastructure – waterforvoiceless[.]org (ROOTSAW dropper: /invite.php, /util.php), siestakeying[.]com (WINELOADER auth/C2: /auth.php)
- [File name] Staged filenames – invite.pdf (CDU lure), invite.hta (ROOTSAW downloader), invite.txt/invite.zip (staged payloads)
- [Hash – MD5] Staged samples – invite.pdf: fb6323c19d3399ba94ecd391f7e35a9c, invite.hta: efafcd00b9157b4146506bd381326f39, and several other hashes (multiple MD5s published)
- [Binary] Legitimate executable used for side‑loading – sqldumper.exe (MD5: f32c04ad97fa25752f9488781853f0ea) and malicious vcruntime140.dll variants (MD5s: e017bfc36e387e8c3e7a338782805dde, 8bd528d2b828c9289d9063eba2dc6aa0)
Starting with a German‑language phishing lure, victims were directed to https://waterforvoiceless[.]org/invite.php which served a ZIP containing a ROOTSAW HTA downloader (invite.hta). That HTA used obfuscated JavaScript to fetch a blob, write it as C:WindowsTasksinvite.txt, decode it with certutil (certutil -decode C:WindowsTasksinvite.txt C:WindowsTasksinvite.zip), extract with tar, and then execute a legitimate binary (C:WindowsTasksSqlDumper.exe) to continue the chain.
The extracted archive contained staged components including invite.txt (a malicious certificate file), invite.zip (the container for WINELOADER), and DLL payloads (vcruntime140.dll variants). WINELOADER is loaded via DLL side‑loading into the legitimate process (sqldumper.exe), uses RC4 to decrypt an encrypted resource in memory, and loads a position‑independent shellcode core that holds configuration (C2, RC4 keys) and ~70 encrypted strings. The implant includes anti‑analysis measures (default 2s sleep timer, process/DLL name checks, ntdll usermode hook bypass) and can update its sleep timer or load additional modules on command.
Network behavior consists of HTTP GET C2 with a randomized registration packet containing environment details (username, device name, process and parent process path) that the actor can use to triage targets. ZScaler/Mandiant observed instances of commands to persist via registry run keys. Known indicators include domains waterforvoiceless[.]org and siestakeying[.]com, staged filenames (invite.hta, invite.txt, invite.zip), and published MD5 hashes for the staged files and DLLs to aid detection and hunting.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties/