Posted on October 19, 2022 at 5:52 PM
Symantec researchers have detected cyberattacks caused by the APT41 threat actor group. The group breached several government agencies in Hong Kong, and it remained hidden for one year in some instances.
Hackers compromise Hong Kong government agency for a year
APT41, also known as Winnti, is an espionage threat actor. The hacking group infiltrates organizations and government agencies to steal crucial information. The group has a stealthy way of operation, which could explain why it stayed undetected for a year after breaching a government agency in Hong Kong.
The hacking group has been deploying a custom malware dubbed Spyder Loader. This malware has been linked to the threat actor group in the past. The malware has been used to infiltrate key government ministries.
In May 2022, research from Cybereason detected “Operation CuckoBees.” The operation has been ongoing since 2019, and it mainly focused on manufacturing firms and high-tech institutions based in East Asia, North America, and Western Europe.
The recently released report by Symantec has added that there are signs that the uncovered activity in Hong Kong was part of this operation. The APT41 threat actor group targeted government agencies operating in the special administrative region.
Hackers used the Spyder Loader malware
As aforementioned, the hackers behind this exploit used the Spyder Loader malware. While conducting Operation CuckoBees, Winnti deployed a new version of the Spyder Loader backdoor.
The report by Symantec has also indicated that the hackers have continued to evolve and develop new tactics to hide their activity. They have deployed different versions of the malware on the targets. Each of these malware variants carries the same function.
Nevertheless, the research by Symantec pointed to some similarities between the detected malware and the variant that Cybereason analyzed. One of these similarities is the use of the CryptoPP C++ library.
There was also a distinct abuse of runll32.exe used to execute the malware loader. This showed that the malware originated from the same source and that the APT41 hacking group was linked to each of these exploits.
The other similarity between the malware detected by Symantec and the one by Cybereason is that it complied as a 64-bit DDL modified copy of the SQLite3. This one is used to manage SQLite databases and sqlite.dll. There was also a malicious export of the sqlite3_extension unit.
The Spyder Loader loads AES-encrypted was detected in the initial infection stage. These blobs are used to create the next stage payload known as “wlbsctrl.dll.”
The activity of the threat actor
The analysts from Symantec have also noted that the Mimikatz password was also deployed during the latest hacking campaigns. The deployment allowed the hacker to dig deep into the victim’s network. This is a common trend with espionage hackers that target individuals, firms, and government agencies to infiltrate sensitive information.
The researchers also observed deploying a trojan tool that exported information to the attacker through a command-and-control server. This allowed the attacker to steal information while avoiding detection.
According to the researchers, “a trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control server, while the other would load a payload from the provided file name in the command line.”
The Symantec researchers were unable to access the final payload. Nevertheless, it now looks like the objective of the latest campaign by the APT41 hacking group was to gather intelligence from the main institutions based in Hong Kong.
Symantec researchers have also said that Winnti would continue transforming its malware toolkit. It is also planning to launch new payloads while adding more layers to hide their operations from the victims. The obfuscation allowed the hacking group to operate for around one year.
Symantec also added that the campaign has been ongoing for several years, which was made possible by using different variants of the Spyder Loader malware. The variation of this malware showed that the threat actor group was persistent and paid close attention to their victims. Moreover, they could remain hidden for a long period, meaning they could have accessed large volumes of data.
“Companies that hold valuable intellectual property should ensure that they have taken all reasonable steps to keep their networks protected from this kind of activity,” the researchers concluded.