Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that is a likely continuation of the Operation CuckooBees activity detailed by Cybereason in May. Winnti (aka APT41, Axiom, Barium, Blackfly) is a cyberespionage group that has been active since at least 2007.
The Operation CuckooBees had been operating under the radar since at least 2019, threat actors conducted multiple attacks to steal intellectual property and other sensitive data from victims.
The attacks detailed by Cybereason targeted technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.
Symantec pointed out that the attacks against government organizations in Hong Kong remained undetected for a year in some cases.
Symantec observed the attackers deploying a custom malware called Spyder Loader on the target networks
“We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection.” reads the analysis published by Symantec.
Spyder Loader is a sophisticated modular backdoor that according to the experts is under continuous evolution. The sample analyzed by Symantec is compiled as a 64-bit PE DLL, it is a modified copy of sqlite3.dll, which includes the malicious export sqlite3_prepare_v4.
Spyder Loader loads AES-encrypted blobs to create the wlbsctrl.dll which acts as a next-stage loader that executes the content.
Like the sample analyzed by Cyberreason, the Spyder Loader sample analyzed by Symantec uses the CryptoPP C++ library. The variant used in recent attacks against Hong Kong relies on ChaCha20 algorithm encryption for string obfuscation. To prevent analysis, the malware also cleans up created artifacts, overwriting the content of the dropped wlbsctrl.dll file before deleting it.
Another similarity between the recent campaign and the Spyder Loader activity described by Cybereason is the use of the rundll32.exe for the execution of the malware loader.
Once gained access to the target network, threat actors used Mimikatz to harvest credentials and used it for lateral movement.
“We also saw Mimikatz being executed on victim networks, as well as a Trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control (C&C) server, while the other would load a payload from the provided file name in the command-line.” continues the report.
Although Symantec researchers were not able to retrieve the final payload, they believe that the recent attacks are part of a long-running intelligence-gathering campaign conducted by APT41.
Symantec also shared Indicators of Compromise (IoCs) for this campaign.
(SecurityAffairs – hacking, APT41)