Wineloader – Analysis of the Infection Chain
By ARC Labs contributor, Shannon Mong
ARC Labs recently analyzed a sample of the Wineloader backdoor for infection chain analysis and detection opportunities to help defenders protect their organizations. Through this analysis, ARC Labs is providing defenders with general detection guidance and specific KQL queries to detect Wineloader activity within Microsoft Sentinel. Additionally, ARC Labs has provided some best practices when analyzing obfuscated JavaScript code within HTA files.
Wineloader is a modular backdoor that was initially discovered by ZScaler and later reported by Mandiant. It has been used in spearphishing campaigns linked to APT29 (also known as NOBELIUM and COZY BEAR). This backdoor allows additional tools or modules to be downloaded to an infected host through an encrypted command and control (C2) channel. Wineloader is believed to be a variant of other tools associated with APT29, such as BurntBatter, BeatDrop, and MuskyBeat.
Key Takeaways from our Wineloader Analysis:
- WINELOADER Overview:
- WINELOADER is a modular backdoor used in spearphishing campaigns attributed to APT29 (NOBELIUM, COZY BEAR).
- It allows additional tools or modules to be downloaded through an encrypted command and control (C2) channel.
- Phishing Lure:
- The campaign starts with a phishing email inviting targets to a wine tasting event hosted by the Ambassador of India.
- Infection Chain:
- The malicious website downloads a ZIP file containing an obfuscated HTA file with JavaScript code.
- Executing the HTA file downloads another ZIP file with the Wineloader payload.
- Obfuscation Techniques:
- The HTA file uses heavily obfuscated JavaScript, including variable renaming and string encoding.
- Execution and Evasion:
- Wineloader is executed through a malicious DLL which is sideloaded via sqlwiter.exe
- Persistence Mechanisms:
- Wineloader achieves persistence via scheduled tasks or modifying registry keys.
The Phishing Lure
The initial infection chain of Wineloader starts with a phishing email leveraging an invite to a wine tasting event hosted by the Ambassador of India. The PDF redirects the target to a malicious website where the Wineloader infection begins.
The Infection Chain
The infection chain starts when the target is redirected to a malicious site that downloads a ZIP file containing a malicious HTA file with heavily obfuscated JavaScript code. When the HTA file is executed by the user, the JavaScript code executes, which downloads an additional ZIP file containing the Wineloader payload.
HTA Analysis
ARC Labs analyzed the obfuscated JavaScript to arm defenders with strategies to extract tactical threat intelligence from obfuscated JavaScript payloads. Upon first analysis, the JavaScript within the HTA appears to be obfuscated using an open-source Java obfuscator tool that leverages variable renaming and string encoding to hinder human analysis.
ARC Labs has observed that JavaScript payloads modified using common obfuscation tools (like the one used for Wineloader) often rely on a replace function that replaces encoded values with their original string value upon execution.
For example, a function named replace could contain an array of hexadecimal encoded strings such as \x6e\x65\x77 (new), \x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74 (ActiveXObject), and \x28\x27\x57\x73\x63\x72\x69\x70\x74\x2e\x53\x68\x65\x6c\x6c\x27\x29 (Wscript.Shell).
To obfuscate the call for new ActiveXObject(‘Wscript.Shell’), the payload will reference the replace function, calling the appropriate element within the array.
Defenders can often extract valuable threat intelligence from obfuscated JavaScript payloads by looking for arrays of obfuscated data stored within a function that is repeatedly called when setting variable values within the payload. Simply reuse the referenced functions with console.log and pass the same data to the functions used within the payload.
This same obfuscation technique is used within the Wineloader HTA sample analyzed by ARC Labs. In the sample, ARC Labs identified an array named _0x575da0, which contains an array of hexadecimal encoded string values. The variable _0x575da0 is repeatedly called through a replace function named _0x12e9, which navigates through several complicated steps to eventually call an element within the array.
To reveal the string values leveraged within the HTA payload, defenders can simply copy the array and replace function to a new JavaScript value and pass the same data, then output the decoded data.
For example, the first function called within the Wineloader HTA is Majshkj, which is called with several obfuscated values.
Using the existing replace function (_0x12e9) and encoded array (_0x575da0) along with console.log reveals the encoded data as a string.
Repeating this process where the replace function is used will enable defenders to extract command line arguments, URLs, file names, and other threat intelligence that will enable them to assess their organizations for indicators of compromise.
Wineloader Execution
In the deobfuscated JavaScript, the HTA file performs pre-checks before continuing with the next stages of infection. To recreate the full infection process, ARC Labs modified the script to make it appear as though the remote host was alive so the infection would continue.
Recreation of the full infection chain also revealed the direct launching of code through mshta.exe without the need for an additional process. Mshta.exe is a legitimate Windows program that executes HTML files. This aids in direct defense evasion on the system by limiting the number of processes spawned on the compromised device in terms of script execution processes.
ARC Labs analysis revealed the final stages of the infection chain included downloading an additional file named text.txt, which was an encoded archive containing sqlwriter.exe and vcruntime140.dll where sqlwriter.exe is the legitimate Microsoft application and vcruntime140.dll is the Wineloader payload.
The malicious DLL is loaded automatically when sqlwriter.exe executes because of the way Microsoft Windows handles locating DLLs referenced by executables in their reference tables. If the full path of a DLL is not specified within the reference table, the executable will go through a predefined list of locations to search for the referenced DLL. In Microsoft Windows, the first location searched is the current working directory of the executable, so by placing the malicious DLL within the same folder as sqlwriter.exe, the malicious DLL is automatically located first and loaded by the executable. This technique is referred to as “sideloading”.
Once the DLL is sideloaded into sqlwriter.exe, Wineloader will attempt to establish persistence on the host by creating a scheduled task for sqlwriter.exe or by establishing registry persistence at the following key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer
After persistence of Wineloader is established on the device, the backdoor will send specific beacon requests to the dedicated command-and-control server to notify persistence completion. At the time of analysis, the specified C2 server was offline, inhibiting any further analysis. However, as Wineloader is a first-stage backdoor, it is highly likely that a second-stage malicious payload would be transferred from the command-and-control server to the compromised device.
Detection Opportunities:
Information for executing threat hunts for evidence of Wineloader activity can be found within the ARC Labs Hunting Queries GitHub repository located here: https://github.com/BinaryDefense/ARC-Labs-Hunting-Queries.
For more information about how Binary Defense can deliver Managed Detection and Response or Threat Hunting services that can identify Wineloader activity, contact us to set up a follow on conversation.