©2021 Reporters Post24. All Rights Reserved.
Researchers at Symantec have uncovered cyberattacks attributed to the China hackers linked espionage actor APT41 (a.k.a. Winnti) that breached government agencies in Hong Kong and remained undetected for a year in some cases.
The threat actor has been using custom malware called Spyder Loader, which has been previously attributed to the group.
In May 2022, researchers at Cybereason discovered ‘Operation CuckooBees’, which had been underway since 2019 focusing on high-tech and manufacturing firms in North America, East Asia, and Western Europe.
Symantec’s report notes that there are signs that the newly discovered Hong Kong activity is part of the same operation, and Winnti’s targets are government agencies in the special administrative region.
Spyder Loader
In Operation CuckooBees, Winnti used a new version of the Spyder Loader backdoor. Symantec’s report indicates that the hackers continue to evolve the malware, deploying several variants on the targets, all with the same functions.
Some of the similarities Symantec found when compared to the version analyzed by Cybereason include:
- using the CryptoPP C++ library
- abuse of rundll32.exe for the execution of the malware loader
- compiled as a 64-bit DLL modified copy of the SQLite3 DLL for managing SQLite databases, sqlite3.dll, with a malicious export (sqlite3_extension_init)
Used in the initial infection stage, Spyder Loader loads AES-encrypted blobs that create the next-stage payload, “wlbsctrl.dll.”
Activity and goals
Symantec analysts also observed the deployment of the Mimikatz password extractor in the latest campaigns, allowing the threat actor to burrow deeper into the victim network.
Additionally, the researchers saw “a trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control server, while the other would load a payload from the provided file name in the command line.”
Although Symantec couldn’t retrieve the final payload, it appears that the goal in APT41’s latest campaign was to collect intelligence from key entities in Hong Kong.
Symantec expects Winnti to continue to evolve its malware toolkit and introduce new payloads, as well as add more layers of obfuscation where possible.