Pulse Detail — Threat Intelligence

PULSE NAME

APT29 Uses WINELOADER to Target German Political Parties

WHITE APT29 tr2222200 2024-03-28 Modified: 2024-03-28

IOCs

MEDIUM VOLUME

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

MALWARE FAMILIES

WINELOADER JSObfuscated BURNTBATTER Detects APT29 ROOTSAW

Indicators of Compromise (21)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	44ce4b785d1795b71cee9f77db6ffe1b	—	2024-03-28
FileHash-MD5	5928907c41368d6e87dc3e4e4be30e42	—	2024-03-28
FileHash-MD5	7a465344a58a6c67d5a733a815ef4cb7	—	2024-03-28
FileHash-MD5	8bd528d2b828c9289d9063eba2dc6aa0	—	2024-03-28
FileHash-MD5	e017bfc36e387e8c3e7a338782805dde	—	2024-03-28
FileHash-MD5	efafcd00b9157b4146506bd381326f39	—	2024-03-28
FileHash-MD5	fb6323c19d3399ba94ecd391f7e35a9c	—	2024-03-28
FileHash-SHA1	5b6b25012fa541a227e1c20d9f3004ce4e7d4aee	SHA1 of efafcd00b9157b4146506bd381326f39	2024-03-28
FileHash-SHA256	a0f183ea54cb25dd8bdba586935a258f0ecd3cba0d94657985bb1ea02af8d42c	SHA256 of efafcd00b9157b4146506bd381326f39	2024-03-28
URL	http://waterforvoiceless.org/invite.xn--php-9o0a	—	2024-03-28
URL	http://waterforvoiceless.org/util.xn--php-9o0a.	—	2024-03-28
URL	https://siestakeying.com/auth.php	—	2024-03-28
URL	https://waterforvoiceless.org/invite.php	—	2024-03-28
URL	https://waterforvoiceless.org/invite.xn--php-9o0a.	—	2024-03-28
URL	https://waterforvoiceless.org/util.php	—	2024-03-28
YARA	9809f2bbfff6559775bbe3f2656155515e3cd137	Detects payload invocation stub in WINELOADER	2024-03-28
YARA	d61ff2430473f06fc42a1d452597c610027aace2	Detects obfuscated ROOTSAW payloads	2024-03-28
YARA	e25a8a21fffb5ae871022f4342db2a0e6561191e	Detects rc4 decryption logic in WINELOADER samples	2024-03-28
domain	0x3bd487.open	—	2024-03-28
domain	siestakeying.com	—	2024-03-28
domain	waterforvoiceless.org	—	2024-03-28

References (1)