HQ/EMEAFind out how we can help your business
A Chinese-linked cyberespionage group called Winnti (also known as APT41) has been discovered inside Hong Kong’s government network, remaining undetected for nearly a year.
Based on reports, the advanced persistent threat group has been utilising a custom malware called Spyder Loader, which researchers initially attributed to the group.
Last May, a separate researcher uncovered Operation CuckooBees, which has been targeting high-tech and manufacturing firms in Europe, Asia, and North America since 2019. The current incident showed signs that the newly identified Hong Kong cybercriminal activity is part of the same operation.
However, Winnti’s target focus is government agencies in particular administrative locations instead of manufacturing and high-tech companies.
The Winnti group heavily exploits the Spyder Loader backdoor.
Experts claimed that the Winnti group used a new version of the Spyder Loader backdoor in Operation CuckooBees. Additionally, the group allegedly continues to upgrade its malware, enabling them to deploy several strains on the targets.
Currently, there are several similarities between the new version and its older variant, such as the CryptoPP C++ library and the usage of rundll32[.]exe for executing the malware loader. Furthermore, the old and the new versions have a compiled 64-bit DLL modified copy of the SQLit3 DLL to manage the SQLite database.
Finally, the new version also uses the Spyder Loader to load AES-encrypted blobs that create the next-stage payload called “wlbsctrl[.]dll” for the initial infection.
The researchers have also seen the deployment of the Mimikatz password extractor in its latest attacks, which enables the attackers to dig deeper into their target’s network. Moreover, they observed a weaponised Zlib DLL that had numerous malicious exports.
One of the payloads appears to be waiting for instructions from a C2 server, while the other would load a payload from the given file name in the command line.
The researchers firmly believe that the goal of the Winnti group is to collect intelligence from essential entities in Hong Kong. Experts expect the threat group to continue to upgrade its toolkit and new payload to make its backdoor more powerful.
