The Winnti cyber-espionage group out of China was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong.
Researchers at Symantec’s Threat Hunter Team recently observed malicious activity in which attackers remained active on some targeted networks for more than a year to steal critical data in what they believe is an extension of the group’s previously identified Operation Cuckoobees, they said in a blog post published this week.
“While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection,” researchers wrote.
Researchers at Cybereason first identified the Cuckoobees campaign in May as a massive cyber-espionage campaign against manufacturing and technology companies in North America and Asia that had been stealing immense stores of intellectual property and other sensitive data for years when it was discovered.
At that time, researchers estimated that Winnti — aka APT41, Wicked Panda, and Barium — so far had stolen hundreds of gigabytes of data, including trade secrets, blueprints, formulas, diagrams, and proprietary manufacturing documents, from more than 30 global organizations. They also harvested details about a target organization’s network architecture, user accounts, credentials, customer data, and business units to leverage in future attacks.
The latest activity against Hong Kong organizations appears to be part of that broad campaign, which is likely to continue and ensnare more victims in its cyber-espionage web before it’s over, researchers said. “The fact that this campaign has been ongoing for several years … indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time,” they wrote.
Unpacking a Trojan
During the activity they observed Symantec researchers got a good look under the hood at Spyder Loader, which Winnti already had been spotted using as the initial payload in previous malicious activity.
Researchers at SonicWall were the first to discuss the malware publicly in March 2021, according to Symantec, which is part of Broadcom Software. At the time researchers identified the malware being used for targeted attacks on information storage systems to collect information about corrupted devices, execute mischievous payloads, coordinate script execution, and communicate with command and control systems, they said in their report.
The malware later was spotted being used in the Cuckoobees campaign and now again against Hong Kong organizations, with various variants being deployed this time around. All of them “displayed largely the same functionality” to load next-stage payloads and perform functions similar to those described by SonicWall, using obfuscation to hide malicious activity, the researchers said.
Winnti is believed to be working on behalf of, or with the support of, the Chinese government since at least 2010. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China’s state intelligence agencies.
In addition to Cuckoobees, Winnti also has been linked to attacks in 2010 on scores of US firms that included such heavy-hitters as Google and Yahoo. Its activity eventually led the US government to indict five members of the threat group, which in the end did little to stop its malicious activities.
Technical Details
Symantec researchers analyzed a sample of Spyder Loader compiled as a 64-bit PE DLL, a modified copy of sqlite3.dll with the addition of a malicious export, sqlite3_prepare_v4, which expects a string as its third argument, they said.
“Reportedly, whenever an export is executed by rundll32.exe, the third argument of the called export should contain part of the process command-line,” researchers explained. “When this loader is executed, it extracts the file name from its third argument, and the referred file is expected to contain a sequence of records.”
The malware executes a created wlbsctrl.dll file that likely acts as a next-stage loader that runs the content of a previously stored blob_id 2 record — which it encrypts using the AES algorithm in Ciphertext Feedback (CFB) mode with segment_size of 0x80 bits — from the created FileMapping, researchers explained. The encryption key is based on the name of an affected computer per GetComputerNameW() API, they said.
Spyder Loader also used other obfuscation techniques to prevent its activity from being analyzed, researchers said. In addition to AES encryption, the malware sample also used the ChaCha20 algorithm encryption to obfuscate one of the strings, as well as cleaned up created artifacts by overwriting the content of the dropped wlbsctrl.dll file before deleting it, for example, they said.
There are several similarities between the Spyder Loader activity seen in the Hong Kong campaign and its original functionality as described by Cybereason. They include: use of a modified version of sqlite3.dll; use of the third parameter of its malicious export that’s consistent with the rundll32.exe command-line example seen in Cybereason’s research; and use of the CryptoPP C++ library.
In addition to Spyder Loader, credential-stealer Mimikatz and a Trojanized ZLib DLL were among the malware loaded onto victim machines, the researchers said.
The researchers included in their report a list of indicators of compromise for Spyder Loader in the post so enterprises can detect if their systems have been infected. They also encouraged organizations to stay up to date on the latest threats and malware in circulation that may require security updates by referring to Symantec’s Protection Bulletins page.
