Thursday, November 30, 2023

Chinese Spyder Loader Malware Targeting Government Organizations to Steal Sensitive Data

Operation CuckooBees is still active and has been detected by Symantec recently. While this time it has been found that the operators of CuckooBees, APT41 (aka Winnti, Barium, Bronze Atlas, and Wicked Panda) are targeting Hong Kong-based companies and organizations.

Cyberespionage group APT41 is active since 2007, and it’s one of the most active and oldest groups on the Internet. On the other hand, since at least 2019, Operation CuckooBees has been operating under the radar in a highly classified manner.

Multiple attacks have been conducted by threat actors in order to steal intellectual property and other sensitive information from the victims’ computers.

In this ongoing campaign, threat actors targeted government organizations. On some of the networks, the attackers remained active for more than a year, showing how persistent the attackers are.

Operation CuckooBees

The operators APT41 have used Spyder Loader (Trojan.Spyload) malware in Operation CuckooBees, and they have also used this malware in previous attacks as well. 

The version of the Spyder Loader malware that was used in the CuckooBees campaign retained all the old features of the previous versions of the malware, including:-

  • A modified copy of sqlite3.dll
  • rundll32.exe
  • CryptoPP C++ library

A similar pattern of infection has also been observed at the beginning of the infection process. 

Technical Analysis

In today’s world of complex modular backdoors, Spyder Loader has emerged as a very powerful tool with continuous updates and improvements. 

A 64-bit PE DLL is used as a component of the loader sample that Symantec researchers analyzed, and it is a modified version of sqlite3.dll that is being used in this file.

On the victim’s device, during the download process, Spyder Loader downloads the blobs with AES encryption. The Spyder Loader also makes use of Mimikatz and a trojanized zlib DLL module.

Upon the creation of these objects, a payload is created, which is named “wbsctrl.dll”. The attackers stole secure data from the victims, which could potentially be used against them in future cyberattacks. 

Here below, we have mentioned the type of data involves:-

  • Credentials
  • Customer data
  • Information about network architecture

Moreover, this variant uses the ChaCha20 algorithm encryption to obfuscate strings that were used in recent attacks against Hong Kong.

Aside from deleting the dropped wlbsctrl.dll file, the malware also cleans up artifacts created by the malware to prevent the analysis.

Currently, there is no information is available regarding the final payload since the security researchers at Symantec were not able to retrieve the final payload yet.

For now, what’s clear is that the recent attacks appear to be part of a cyberespionage campaign that APT41 has been conducting for a considerable period of time.

Also Read: Download Secure Web Filtering – Free E-book


Latest articles

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major...

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward...

Google Workspace’s Design Flaw Allows Attacker Unauthorized Access

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools...

Serial ‘SIM Swapper’ Sentenced to Eight Years in Prison

In a digital age marred by deceit, 25-year-old Amir Hossein Golshan stands as a...

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw...

Hackers Behind High-Profile Ransomware Attacks on 71 Countries Arrested

Hackers launched ransomware attacks to extort money from the following two entities by encrypting...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles