Sunday, December 8, 2024
HomeCyber Security NewsChinese Spyder Loader Malware Targeting Government Organizations to Steal Sensitive Data

Chinese Spyder Loader Malware Targeting Government Organizations to Steal Sensitive Data

Published on

SIEM as a Service

Operation CuckooBees is still active and has been detected by Symantec recently. While this time it has been found that the operators of CuckooBees, APT41 (aka Winnti, Barium, Bronze Atlas, and Wicked Panda) are targeting Hong Kong-based companies and organizations.

Cyberespionage group APT41 is active since 2007, and it’s one of the most active and oldest groups on the Internet. On the other hand, since at least 2019, Operation CuckooBees has been operating under the radar in a highly classified manner.

Multiple attacks have been conducted by threat actors in order to steal intellectual property and other sensitive information from the victims’ computers.

- Advertisement - SIEM as a Service

In this ongoing campaign, threat actors targeted government organizations. On some of the networks, the attackers remained active for more than a year, showing how persistent the attackers are.

Operation CuckooBees

The operators APT41 have used Spyder Loader (Trojan.Spyload) malware in Operation CuckooBees, and they have also used this malware in previous attacks as well. 

The version of the Spyder Loader malware that was used in the CuckooBees campaign retained all the old features of the previous versions of the malware, including:-

  • A modified copy of sqlite3.dll
  • rundll32.exe
  • CryptoPP C++ library

A similar pattern of infection has also been observed at the beginning of the infection process. 

Technical Analysis

In today’s world of complex modular backdoors, Spyder Loader has emerged as a very powerful tool with continuous updates and improvements. 

A 64-bit PE DLL is used as a component of the loader sample that Symantec researchers analyzed, and it is a modified version of sqlite3.dll that is being used in this file.

On the victim’s device, during the download process, Spyder Loader downloads the blobs with AES encryption. The Spyder Loader also makes use of Mimikatz and a trojanized zlib DLL module.

Upon the creation of these objects, a payload is created, which is named “wbsctrl.dll”. The attackers stole secure data from the victims, which could potentially be used against them in future cyberattacks. 

Here below, we have mentioned the type of data involves:-

  • Credentials
  • Customer data
  • Information about network architecture

Moreover, this variant uses the ChaCha20 algorithm encryption to obfuscate strings that were used in recent attacks against Hong Kong.

Aside from deleting the dropped wlbsctrl.dll file, the malware also cleans up artifacts created by the malware to prevent the analysis.

Currently, there is no information is available regarding the final payload since the security researchers at Symantec were not able to retrieve the final payload yet.

For now, what’s clear is that the recent attacks appear to be part of a cyberespionage campaign that APT41 has been conducting for a considerable period of time.

Also Read: Download Secure Web Filtering – Free E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...