Experimenters at Symantec have uncovered cyberattacks attributed to the China-linked spying actor APT41(a.k.a. Winnti) that traduced government associations in Hong Kong and remained undetected for a time in some cases.
The troubled actor has been using custom malware called Spyder Loader, which has been preliminarily attributed to the group.
In May 2022, experimenters at Cybereason discovered ‘ Operation CuckooBees ’, which had been underway since 2019 fastening on high-tech and manufacturing enterprises in North America, East Asia, and Western Europe.
Symantec’s report notes that there are signs that the recently discovered Hong Kong exertion is part of the same operation, and Winnti’s targets are government realities in the special executive region.
In Operation CuckooBees, Winnti used a new interpretation of the Spyder Loader backdoor. Symantec’s report indicates that the hackers continue to evolve the malware, planting several variants on the targets, all with the same functions.
Some of the parallels Symantec set up when compared to the interpretation anatomized by Cybereason include
using the CryptoPP C library
abuse ofrundll32.exe for the prosecution of the malware haul
collected as a 64- bit DLL modified dupe of the SQLite3 DLL for managing SQLite databases,sqlite3.dll, with a vicious import(sqlite3_extension_init)
Used in the original infection stage, Spyder Loader loads AES- translated blobs that produce the coming-stage cargo, “wlbsctrl.dll. ”
exertion and pretensions
Symantec judges also observed the deployment of the Mimikatz word extractor in the rearmost juggernauts, allowing the troubled actor to burrow deeper into the victim network.
Also, the experimenters saw” a trojanized ZLib DLL that had multiple vicious exports, one of which appeared to be staying for communication from a command- and- control garçon. At the same time, the other would load cargo from the handed train name in the command line. ”
Although Symantec couldn’t recoup the last cargo, it appears that the thing in APT41’s rearmost crusade was to collect intelligence from crucial realities in Hong Kong.
Symantec expects Winnti to continue to evolve its malware toolkit, introduce new loads, and add further layers of obfuscation where possible.