From Water to Wine: An Analysis of WINELOADER | Splunk
The simplified version of this python tool is available here.
IOC
FileName | SHA256 |
vcruntime140.dll | 72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4 d0a8fa332950b72968bdd1c8a1a0824dd479220d044e8c89a7dea4434b741750 |
YARA Rule:
import "pe"
rule possible_wine_loader_export_function {
meta:
author = "@tccontre18 - Br3akp0int"
description = "possible wine loader export function setup code"
date = "2024-04-03"
sha256 = "72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4"
strings:
$exp_loader = {48 83 EC 08 48 8D 0D ?? ?? ?? ?? 48 C7 C2 28 80 00 00 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 C7 05 ?? ?? ?? ?? ?? ?? 00 00 48 C7 05 ?? ?? ?? ?? 28 80 00 00 E8 ?? ?? 00 00 48 83 C4 08 C3}
condition:
uint16(0) == 0x5a4d and $exp_loader and pe.number_of_exports != 0
}
Splunk Security Content
The Splunk Threat Research Team has released a new analytic story covering this campaign. Below is a breakdown of the related security content.
Figure 08: Security Content Detection Coverage
Windows MSHTA Writing to World Writable Path
This detection identifies instances of the Windows utility `mshta.exe` being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads.
Starting on February 26, 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, using obfuscated JavaScript, downloads a file named `invite.txt` to the `C:WindowsTasks` directory. This file is then decoded and decompressed to execute a malicious payload
`sysmon` EventCode=11 Image="*\mshta.exe" TargetFilename IN ("*\Windows\Tasks\*", "*\Windows\Temp\*", "*\Windows\tracing\*", "*\Windows\PLA\Reports\*", "*\Windows\PLA\Rules\*", "*\Windows\PLA\Templates\*", "*\Windows\PLA\Reports\en-US\*", "*\Windows\PLA\Rules\en-US\*", "*\Windows\Registration\CRMLog\*", "*\Windows\System32\Tasks\*", "*\Windows\System32\Com\dmp\*", "*\Windows\System32\LogFiles\WMI\*", "*\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*", "*\Windows\System32\spool\PRINTERS\*", "*\Windows\System32\spool\SERVERS\*", "*\Windows\System32\spool\drivers\color\*", "*\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\*", "*\Windows\SysWOW64\Tasks\*", "*\Windows\SysWOW64\Com\dmp\*", "*\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\*", "*\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\*", "*\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\*")
| rename Computer as dest, User as user
| stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
(Get this content: Windows MSHTA Writing to World Writable Path.)
CertUtil with Decode Argument
CertUtil.exe may be used to `encode` and `decode` a file, including portable executables and script code. Malicious usage will include decoding an encoded file that was downloaded.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode*
by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
(Get this content: CertUtil with Decode Argument.)
Windows SQLWriter SQLDumper DLL Sideload
This analytic identifies the abuse of SqlWriter and SQLDumper executables to sideload the vcruntime140.dll library. This technique is commonly used by adversaries to load malicious code into a legitimate process. The analytic:
- Searches for EventCode 7 from Sysmon logs where the Image is either SQLDumper.exe or SQLWriter.exe and the ImageLoaded is vcruntime140.dll.
- Filters out the legitimate loading of vcruntime140.dll from the System32 directory to reduce false positives.
`sysmon` EventCode=7 (Image="*\SQLDumper.exe" OR Image="*\SQLWriter.exe") ImageLoaded="*\vcruntime140.dll" NOT ImageLoaded="C:\Windows\System32\*" | stats values(ImageLoaded) count min(_time) as firstTime max(_time) as lastTime by Image,ImageLoaded, user, Computer, EventCode | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
(Get this content: Windows SqlWriter SQLDumper DLL Sideload.)
Windows Unsigned MS DLL Side-Loading
The following analysis identifies potential DLL side-loading instances involving unsigned DLLs with a company detail signature mimicking Microsoft. This technique is frequently exploited by adversaries to execute malicious code automatically by running a legitimate process.
The analytics involves:
- Searching Sysmon logs for Event Code 7, where both the `Image` and `ImageLoaded` paths do not match system directories (`system32`, `syswow64`, and `programfiles`).
- Verifying whether the loaded DLL is signed and checking if the folder paths of the `Image` and `ImageLoaded` are identical.
This anomaly detection mechanism serves as a valuable indicator for identifying suspicious processes that load unsigned DLLs. Add other paths based on org hunting.
`sysmon` EventCode=7 Company="Microsoft Corporation" Signed=false SignatureStatus != Valid
NOT (Image IN("C:\Windows\System32\*", "C:\Windows\SysWow64\*", "C:\Program Files*"))
NOT (ImageLoaded IN("C:\Windows\System32\*", "C:\Windows\SysWow64\*", "C:\Program Files*"))
| rex field=Image "(?<ImageFolderPath>.+\)"
| rex field=ImageLoaded "(?<ImageLoadedFolderPath>.+\)"
| where ImageFolderPath = ImageLoadedFolderPath
| stats count min(_time) as firstTime max(_time) as lastTime by Image ProcessGuid ImageLoaded user Computer EventCode ImageFolderPath ImageLoadedFolderPath Company Description Product Signed SignatureStatus
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_unsigned_ms_dll_side_loading_filter`'
Summary
APT29 has launched a new campaign targeting political parties using the WINELOADER backdoor. Our detailed analysis of the TTPs employed by APT29, focused on the initial access stage and the WINELOADER malware itself. To help organizations detect and respond to this threat, The Splunk Threat Research Team has:
- Developed an Atomic Red Team test.
- Released a new analytic story.
As APT29 continues to evolve, it is important for security teams to stay informed and enhance their detection capabilities to protect against sophisticated threats.
Learn More
Visit research.splunk.com to view the Splunk Threat Research Team’s complete security content repository. You can implement this content using the Enterprise Security Content Updates app or the Splunk Security Essentials app.
We would like to thank Teoderick Contreras and Michael Haag for authoring this post and the entire Splunk Threat Research Team for their contributions.