Priya Patel
TLDR:
- Russia’s Cozy Bear targeted German political parties in a phishing campaign using fake dinner party invitations.
- The phishing emails were designed to infect PCs with the WINELOADER backdoor, allowing remote control of the infected machines.
Article Summary:
Russia’s Cozy Bear, also known as APT29 and Midnight Blizzard, targeted German political parties in a phishing campaign disguised as dinner party invitations. The phishing emails were engineered to infect victims’ Windows PCs with the WINELOADER backdoor, providing long-term access to the political parties’ networks and data.
This is the first time Cozy Bear has targeted political parties and it has been linked to the Russian Foreign Intelligence Service (SVR). The phishing emails were designed to appear as if they were sent by Germany’s Christian Democratic Union (CDU) and included the CDU logo, inviting recipients to a fictitious dinner reception on March 1st.
Victims who clicked on a link in the email were directed to a Cozy Bear-controlled website where they downloaded a .zip file containing a program called ROOTSAW. This program would infect the PC with the WINELOADER backdoor, allowing the machine to be remotely controlled by the hackers.
WINELOADER was also used in phishing campaigns targeting diplomatic entities in Europe, India, and Peru. The backdoor was customized and implemented a unique Command-and-Control (C2) mechanism. This backdoor overlaps with several other strains of malware used by Cozy Bear, but is more customized than previous variants.
The CDU confirmed that there was no official dinner on March 1st and that the event was fictitious. Cozy Bear has also been targeting Microsoft’s networks, stealing source code and gaining access to internal systems.
