Symantec researchers have identified a Chinese-backed threat actor, APT41, also known as Winnti who had infiltrated government organisations in Hong Kong for nearly a year without detection. The threat actor was found to be using Spyder Loader, a customer malware previously attributed to the group.
According to the researchers, the infiltration is likely part of a larger operation called Operation CuckooBees — an ongoing operation since 2019 that focuses on tech and manufacturing companies in North America, East Asia and Western Europe. CuckooBees was discovered back in May this year by researchers at Cybereason.
There are a lot of similarities between CuckooBees and the Hong Kong government’s infiltration. The targets are government entities working in the special administrative region and both attacks used the same Spyder Loader malware, although the versions used were different as Symantec suggests that the hackers are constantly evolving the malware.
The group deploys several variants on their targets, each serving the same purpose. Similarities between Symantec’s and Cybereason’s versions include the use of the CryptoPP C++ library, abusing rundll32.exe to execute the malware loader and both versions were compiled as 64-bit DLLs, saved as a modified copy of the SQLite3 DLL (used for managing SQLite databases), deploying the malware as a malicious export in a multi-stage deployment technique to avoid detection.
The malware works in two stages, with Spyder Loader running the initial infection stage and loading AES-encrypted blobs which create the payload in the next stage.
The researchers believe that APT41’s main objective was to simply collect and extract information from key government agencies in Hong Kong. While the researchers weren’t able to extract the final payload, Winnti is expected to continue developing its malware, introducing new payloads and obfuscation techniques as it goes along.