A hacker had breached the Hong Kong government organizations for at least a year undetected, researchers said.
Symantec researchers discovered the cyberattacks, which they attributed to APT41 (a.k.a. Winnti), that compromised the government organizations in the administrative region.
The attackers have remained active in some organizations for more than a year, the researchers at Symantec said.
Spyder Loader
The attacker used Spyder Loader malware indicating that the attack was a continuation of Operation CuckooBees, targeting this time the government organizations in Hong Kong.
Spyder Loader was first discussed in a blog by SonicWall in March 2021.
At the time, the researchers said, the malware was used to attack information storage systems, execute harmful payloads, coordinate script execution, C&C server communication, and harvest the information about corrupted devices.
It appears, according to the researchers, the cyberattack against Hong Kong's government organizations was a continuation of "Operation CuckoBees."
Read also: UK NHS Outage: Did a Cyberattack Cause It?
'Operation CuckoBees'
The researchers at Cybereason discovered Operation CuckooBees in May 2022.
Operation CuckoBees, a campaign that sought to gather intelligence information, had been operating undetected since 2019. It surreptitiously gathered intellectual property, and other sensitive data from the tech and manufacturing companies in East Asia, Western Europe, and North America.
Symantec said the Spyder Loader, a Trojan.Spyload, was deployed on the networks of the targeted victims. This could be an indication that the attack was part of the continuing campaign.
All indications, Symantec said, point to intelligence gathering as the ultimate objective of the attack.
Similarities Between Spyder Loader And Operation CuckoBees
Operation CuckoBees attackers had drawn away information by hundreds of gigabytes from the intellectual property the victims had developed. These information include blueprints, diagrams, sensitive documents, and proprietary data related to manufacturing.
The threat actor had also raided the victims of data they can use in future attacks, namely: data about customers, credentials, and information on network architecture.
One of the tools used in Operation CuckoBees, Symantec noted, was the Spyder Loader malware - the same tool used in the attack against Hong Kong.
The hackers have apparently evolved the malware in the recent attack, the researchers said.
Symantec researchers said both Spyder Loader and Operation CuckoBees have the following similarities:
The use of CryptoPP C++ library
Assembled as a 64-bit DLL modified copy of the SQLite3 DLL to manage SQLite databases with a malicious export (sqlite3_extension_init)
The abuse of rundll32.exe o execute malware loader
At the initial stage of the attack, according to Symantec, Spyder Loader used AES-encrypted blobs that eventually created the "wlbsctrl.dll" payload for the next stage.
Attack's Goals
Symantec researchers observed the use of Mimikatz password extractor in the Hong Kong campaign. This enabled the attack to dig deeper into the targeted network.
A trojanized ZLib DLL with several malicious exports was observed by Symantec.
One of these malicious exports, the researchers said, seemed to wait for further communication from a command-and-control server. While in waiting mode, the other will load a payload from the file name provided for in the command line.
The researchers admitted they could not retrieve the final payload to give them a clear understanding about the goal of the attack.
But the apparent goal of the latest campaign was to collect intelligence data from key government organizations in Hong Kong, they said.