The China-aligned spy-focused actor, nicknamed Winnti, has set his sights on Hong Kong government organizations in an ongoing campaign dubbed Operation CuckooBees.
Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name given to a prolific group of cyber threats that carry out Chinese state-sponsored espionage activities, primarily aimed at stealing intellectual property. organizations in developed countries. savings.
The threat actor’s campaigns have targeted the healthcare, telecommunications, hi-tech, media, agriculture and education sectors, with infection chains mostly relying on spear phishing emails with attachments to initially penetrate victims’ networks.
Earlier in May, Cybereason disclosed long-running attacks orchestrated by the group since 2019 to siphon tech secrets from tech and manufacturing companies primarily located in East Asia, Western Europe and North America.
The intrusions, bludgeoned as Operation CuckooBees, are estimated to have resulted in the exfiltration of “hundreds of gigabytes of information”, the Israeli cybersecurity firm revealed.
The latest activity, according to the Symantec Threat Hunter team, part of Broadcom Software, is a continuation of the proprietary data theft campaign, but with a focus on Hong Kong.
The attackers remained active on some of the compromised networks for a year, the company said in a report shared with The Hacker News, adding that the intrusions paved the way for the deployment of a malware loader called Spyder, which was discovered for the first time. in March 2021.
“[Spyder] is used for targeted attacks on information storage systems, gathering information about corrupted devices, executing malicious payloads, coordinating script execution, and C&C server communication,” a noted the SonicWall Capture Labs threat research team at the time.
Other post-exploitation tools, such as Mimikatz and a trojanized zlib DLL module capable of receiving commands from a remote server or loading an arbitrary payload, have also been deployed alongside Spyder.
Symantec said it did not observe delivery of any end-stage malware, although the motives for the campaign are believed to be related to intelligence gathering based on tactical overlap with previous attacks.
“The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed during this time, indicates that the actors behind this activity are persistent and targeted adversaries capable of performing stealth operations on networks. victims over a long period of time,” Symantec said.
Winnti targets Sri Lankan government entities
As a further sign of Winnti’s sophistication, Malwarebytes uncovered a separate set of attacks in early August targeting government entities in Sri Lanka with a new backdoor called DBoxAgent that leverages Dropbox for command and control.
“To our knowledge, Winnti (a China-backed APT) is targeting Sri Lanka for the first time,” the Malwarebytes Threat Intelligence team said.
The killchain is also notable for using an ISO image hosted on Google Drive that purports to be a document containing information on economic assistance, indicating an attempt by the threat actor to capitalize on the ongoing economic crisis. in the country.
Launching an LNK file contained in the ISO image leads to the execution of the DBoxAgent implant which allows the adversary to remotely commandeer the machine and export sensitive data to the cloud storage service. Dropbox has since deactivated the rogue account.
The backdoor further acts as a conduit to drop exploit tools that would open the door to further attacks and data exfiltration, including activating a multi-step infection sequence that results using an advanced C++ backdoor named KEYPLUG, which has been documented by Google’s Mandiant. in March 2022.
The development marks the first time APT41 has been observed using Dropbox for C&C purposes, illustrating the increasing use by attackers of legitimate software-as-a-service and cloud offerings to host malicious content.
“Winnti remains active and its arsenal continues to grow to become one of the most sophisticated groups today,” the cybersecurity firm said. “Sri Lanka’s location in South Asia is strategic for China as it has open access to the Indian Ocean and is close to India.”