On Tuesday, Symantec reported a continuation of an operation conducted by the Advanced Persistent Threat (APT) group Winnti called Operation CuckooBees. This operation was first reported about in May of this year and has been operating since at least 2019. Winnti, also referred to as APT41, Barium, Blackfly, Bronze Atlas, Double Dragon, and Wicked Panda, typically targets Intellectual Property (IP), focusing on data exfiltration rather than extortion or sabotage. This latest campaign leverages Spyder Loader, which relies on DLL hijacking for execution, to collect information, execute payloads, and facilitate Command and Control (C2) communication. Alongside Spyder Loader, several other tools are deployed, including Mimikatz. The attacks seem to be tailored to the target as well; earlier this year, Winnti attacked Sri Lankan government entities with a separate backdoor, using an ISO image from a Google Drive containing an executable and a .lnk file depicted as a folder.
Hong Kong Government Organizations Targeted by China-Aligned APT Using Spyder Loader
While groups like Winnti can be highly sophisticated in their attack techniques, the wide range of tools and techniques they use can offer multiple opportunities for detection. Companies’ primary goal should be to diversify their security efforts to cover a wide range of possibilities. For protecting IP and detecting unauthorized file access, consider using canary tokens, which are files that appear to contain lucrative data (such as passwords.xlsx or patentdata2022.pdf) that send an alert when they are opened. Companies should also consider analyzing business use-case for file sharing sites, such as Dropbox and Google Drive, and limit access to those sites where possible. Some web proxies can even allow users to request one-time approval for accessing blocked sites, enabling security personnel to review the files being requested. For detecting new or obscure executables, companies can include hashes of executables in process logs and perform long-tail analysis, looking for hash/file name combinations that appear infrequently. This is best paired with an effective software management process to reduce the likelihood that legitimate processes match across multiple devices.