Chinese Spyder Loader Malware Spotted Targeting Organizations in Hong Kong


The China-aligned spy-focused actor, nicknamed Winnti, has set his sights on Hong Kong government organizations in an ongoing campaign dubbed Operation CuckooBees.

Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name given to a prolific group of cyber threats that carry out Chinese state-sponsored espionage activities, primarily aimed at stealing intellectual property. organizations in developed countries. savings.

The threat actor’s campaigns have targeted the healthcare, telecommunications, hi-tech, media, agriculture and education sectors, with infection chains mostly relying on spear phishing emails with attachments to initially penetrate victims’ networks.

Earlier in May, Cybereason disclosed long-running attacks orchestrated by the group since 2019 to siphon tech secrets from tech and manufacturing companies primarily located in East Asia, Western Europe and North America.

cyber security

The intrusions, bludgeoned as Operation CuckooBees, are estimated to have resulted in the exfiltration of “hundreds of gigabytes of information”, the Israeli cybersecurity firm revealed.

The last activity, according to the Symantec The Threat Hunter team, part of Broadcom Software, is a continuation of the proprietary data theft campaign, but with a focus on Hong Kong.

The attackers remained active on some of the compromised networks for a year, the company said in a report shared with The Hacker News, adding that the intrusions paved the way for the deployment of a malware loader called Spywhich was first revealed in March 2021.

“[Spyder] is used for targeted attacks on information storage systems, gathering information about corrupted devices, executing malicious payloads, coordinating script execution, and C&C server communication,” l SonicWall Capture Labs Threat Research Team Noted at the time.

Apart from Spyder, other post-exploitation tools have also been deployed, such as Mimikatz and a trojanized zlib DLL module capable of receiving commands from a remote server or loading an arbitrary payload.

Symantec said it did not observe delivery of any end-stage malware, although the motives for the campaign are believed to be related to intelligence gathering based on tactical overlap with previous attacks.

“The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed during this time, indicates that the actors behind this activity are persistent and targeted adversaries capable of performing stealth operations on networks. victims over a long period of time,” Symantec said.

Winnti targets Sri Lankan government entities

Further sign of the sophistication of Winnti, Malwarebytes discovered a separate series of attacks targeting government entities in Sri Lanka in early August with a new backdoor called DBoxAgent that leverages Dropbox for command and control.

“To our knowledge, Winnti (a China-backed APT) is targeting Sri Lanka for the first time,” the Malwarebytes Threat Intelligence team said.

cyber security

The killchain is also notable for using an ISO image hosted on Google Drive that purports to be a document containing economic aid information, indicating an attempt by the threat actor to capitalize on the ongoing economic crisis in the nation.

Launching an LNK file contained in the ISO image leads to the execution of the DBoxAgent implant which allows the adversary to remotely commandeer the machine and export sensitive data to the cloud storage service. Dropbox has since deactivated the rogue account.

The backdoor further acts as a conduit to drop exploit tools that would open the door to further attacks and data exfiltration, including activating a multi-step infection sequence that results using an advanced C++ backdoor named KEYPLUG, which has been documented by Google’s Mandiant. in March 2022.

The development marks the first time APT41 has been observed using Dropbox for C&C purposes, illustrating the increasing use by attackers of legitimate software-as-a-service and cloud offerings to host malicious content.

“Winnti remains active and its arsenal continues to grow to become one of the most sophisticated groups today,” the cybersecurity firm said. “Sri Lanka’s location in South Asia is strategic for China as it has open access to the Indian Ocean and is close to India.”


Comments are closed.