Verticals Targeted: Government
Executive Summary
Symantec recently reported on Spyder Loader, a tool used by Chinese nexus state-sponsored threat actor group Winnti to target government entities in Hong Kong.
Key Takeaways
- Winnti has been using Spyder Loader to target government entities in Hong Kong.
- Spyder Loader is a 64-bit PE DLL targeting Windows machines.
- Spyder Loader is being used for targeted attacks with data exfiltration for espionage as the goal.
Chinese state-sponsored threat actor group Winnti has been targeting government organizations in Hong Kong. This activity is part of Operation CuckooBees, an espionage campaign active since at least 2019. The group was recently reported leveraging Spyder Loader in this campaign.
Spyder Loader is a 64-bit PE DLL targeting Windows machines. Multiple variants of Spyder Loader exist. The recently discovered variant is a modified copy of sqlite3.dll with a malicious export added. Spyder Loader can deliver additional payloads and is used for targeted attacks on information storage systems, collecting information about corrupted devices, executing malicious payloads, executing scripts, and communicating with threat actor C2. Winnti has used Spyder Loader to exfiltrate hundreds of gigabytes of targeted intellectual property, such as sensitive documents, blueprints, diagrams, formulas, and manufacturing data. They also stole credentials, customer data, and network architecture information that can be used for follow-on attacks.
Who is Winnti?
Winnti, also known as Wicked Panda, Axiom, APT41, and Bronze Atlas, is a sophisticated Chinese state-sponsored threat actor group. The group engages in espionage activity in support of or in conjunction with the Chinese Ministry of State Security (MSS) and the People's Liberation Army (PLA). Active since at least 2009, Winnti’s roots seem to have emerged in cybercrime and later evolved into the group’s current form. It is unknown whether the Chinese government recruited them into the military or intelligence services or if they operate as contractors.
Winnti activity has ranged from criminal, financially motivated attacks to stealthy espionage campaigns in support of Chinese military intelligence collection requirements. Winnti targets have included software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments. The group has targeted a broad range of entities across the APAC, AMEA, and AMERICAS regions.
Winnti is known for having skilled programmers capable of developing sophisticated tools. The group uses a variety of TTPs, including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, Spyder, and ShadowPad. The group is also known to steal software signing certificates to use in their campaigns. Winnti has used ShadowPad malware since at least 2017. In 2020, several threat actors affiliated with Winnti were charged with computer intrusion campaigns against more than 100 victims worldwide.
IOCs
PolySwarm has a sample of Spyder Loader.
0cdbde55b23b26efd5c4503473bd673e3e5a75eae375bae866b6541edb8fcc84
You can use the following CLI command to search for all Spyder Loader samples in our portal:
$ polyswarm link list -f SpyderLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports