Saturday, September 7, 2024
HomeCyber Security NewsChinese Spyder Loader Malware Targeting Government Organizations to Steal Sensitive Data

Chinese Spyder Loader Malware Targeting Government Organizations to Steal Sensitive Data

Published on

Operation CuckooBees is still active and has been detected by Symantec recently. While this time it has been found that the operators of CuckooBees, APT41 (aka Winnti, Barium, Bronze Atlas, and Wicked Panda) are targeting Hong Kong-based companies and organizations.

Cyberespionage group APT41 is active since 2007, and it’s one of the most active and oldest groups on the Internet. On the other hand, since at least 2019, Operation CuckooBees has been operating under the radar in a highly classified manner.

Multiple attacks have been conducted by threat actors in order to steal intellectual property and other sensitive information from the victims’ computers.

- Advertisement - EHA

In this ongoing campaign, threat actors targeted government organizations. On some of the networks, the attackers remained active for more than a year, showing how persistent the attackers are.

Operation CuckooBees

The operators APT41 have used Spyder Loader (Trojan.Spyload) malware in Operation CuckooBees, and they have also used this malware in previous attacks as well. 

The version of the Spyder Loader malware that was used in the CuckooBees campaign retained all the old features of the previous versions of the malware, including:-

  • A modified copy of sqlite3.dll
  • rundll32.exe
  • CryptoPP C++ library

A similar pattern of infection has also been observed at the beginning of the infection process. 

Technical Analysis

In today’s world of complex modular backdoors, Spyder Loader has emerged as a very powerful tool with continuous updates and improvements. 

A 64-bit PE DLL is used as a component of the loader sample that Symantec researchers analyzed, and it is a modified version of sqlite3.dll that is being used in this file.

On the victim’s device, during the download process, Spyder Loader downloads the blobs with AES encryption. The Spyder Loader also makes use of Mimikatz and a trojanized zlib DLL module.

Upon the creation of these objects, a payload is created, which is named “wbsctrl.dll”. The attackers stole secure data from the victims, which could potentially be used against them in future cyberattacks. 

Here below, we have mentioned the type of data involves:-

  • Credentials
  • Customer data
  • Information about network architecture

Moreover, this variant uses the ChaCha20 algorithm encryption to obfuscate strings that were used in recent attacks against Hong Kong.

Aside from deleting the dropped wlbsctrl.dll file, the malware also cleans up artifacts created by the malware to prevent the analysis.

Currently, there is no information is available regarding the final payload since the security researchers at Symantec were not able to retrieve the final payload yet.

For now, what’s clear is that the recent attacks appear to be part of a cyberespionage campaign that APT41 has been conducting for a considerable period of time.

Also Read: Download Secure Web Filtering – Free E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...