Jump to content
  • Hackers compromised Hong Kong govt agency network for a year

    alf9872000

    • 451 views
    • 2 minutes
     Share


    • 451 views
    • 2 minutes

    Researchers at Symantec have uncovered cyberattacks attributed to the China-linked espionage actor APT41 (a.k.a. Winnti) that breached government agencies in Hong Kong and remained undetected for a year in some cases.

     

    The threat actor has been using custom malware called Spyder Loader, which has been previously attributed to the group.

     

    In May 2022, researchers at Cybereason discovered ‘Operation CuckooBees’, which had been underway since 2019 focusing on high-tech and manufacturing firms in North America, East Asia, and Western Europe.

     

    Symantec’s report notes that there are signs that the newly discovered Hong Kong activity is part of the same operation, and Winnti's targets are government agencies in the special administrative region.

    Spyder Loader

    In Operation CuckooBees, Winnti used a new version of the Spyder Loader backdoor. Symantec’s report indicates that the hackers continue to evolve the malware, deploying several variants on the targets, all with the same functions.

     

    Some of the similarities Symantec found when compared to the version analyzed by Cybereason include:

    • using the CryptoPP C++ library
    • abuse of rundll32.exe for the execution of the malware loader
    • compiled as a 64-bit DLL modified copy of the SQLite3 DLL for managing SQLite databases, sqlite3.dll, with a malicious export (sqlite3_extension_init)
    •  

    Used in the initial infection stage, Spyder Loader loads AES-encrypted blobs that create the next-stage payload, “wlbsctrl.dll.”

    Activity and goals

    Symantec analysts also observed the deployment of the Mimikatz password extractor in the latest campaigns, allowing the threat actor to burrow deeper into the victim network.

     

    Additionally, the researchers saw "a trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control server, while the other would load a payload from the provided file name in the command line.”

     

    Although Symantec couldn’t retrieve the final payload, it appears that the goal in APT41’s latest campaign was to collect intelligence from key entities in Hong Kong.

     

    Symantec expects Winnti to continue to evolve its malware toolkit and introduce new payloads, as well as add more layers of obfuscation where possible.

     
    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...