Saturday, May 18, 2024

Chinese Spyder Loader Malware Targeting Government Organizations to Steal Sensitive Data

Operation CuckooBees is still active and has been detected by Symantec recently. While this time it has been found that the operators of CuckooBees, APT41 (aka Winnti, Barium, Bronze Atlas, and Wicked Panda) are targeting Hong Kong-based companies and organizations.

Cyberespionage group APT41 is active since 2007, and it’s one of the most active and oldest groups on the Internet. On the other hand, since at least 2019, Operation CuckooBees has been operating under the radar in a highly classified manner.

Multiple attacks have been conducted by threat actors in order to steal intellectual property and other sensitive information from the victims’ computers.

In this ongoing campaign, threat actors targeted government organizations. On some of the networks, the attackers remained active for more than a year, showing how persistent the attackers are.

Operation CuckooBees

The operators APT41 have used Spyder Loader (Trojan.Spyload) malware in Operation CuckooBees, and they have also used this malware in previous attacks as well. 

The version of the Spyder Loader malware that was used in the CuckooBees campaign retained all the old features of the previous versions of the malware, including:-

  • A modified copy of sqlite3.dll
  • rundll32.exe
  • CryptoPP C++ library

A similar pattern of infection has also been observed at the beginning of the infection process. 

Technical Analysis

In today’s world of complex modular backdoors, Spyder Loader has emerged as a very powerful tool with continuous updates and improvements. 

A 64-bit PE DLL is used as a component of the loader sample that Symantec researchers analyzed, and it is a modified version of sqlite3.dll that is being used in this file.

On the victim’s device, during the download process, Spyder Loader downloads the blobs with AES encryption. The Spyder Loader also makes use of Mimikatz and a trojanized zlib DLL module.

Upon the creation of these objects, a payload is created, which is named “wbsctrl.dll”. The attackers stole secure data from the victims, which could potentially be used against them in future cyberattacks. 

Here below, we have mentioned the type of data involves:-

  • Credentials
  • Customer data
  • Information about network architecture

Moreover, this variant uses the ChaCha20 algorithm encryption to obfuscate strings that were used in recent attacks against Hong Kong.

Aside from deleting the dropped wlbsctrl.dll file, the malware also cleans up artifacts created by the malware to prevent the analysis.

Currently, there is no information is available regarding the final payload since the security researchers at Symantec were not able to retrieve the final payload yet.

For now, what’s clear is that the recent attacks appear to be part of a cyberespionage campaign that APT41 has been conducting for a considerable period of time.

Also Read: Download Secure Web Filtering – Free E-book


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles