Context
On October 18, 2022, Symentec researchers reported an extension to the Operation CuckooBees campaign leveraging the Spyder Loader to target government organizations in Hong Kong.
Community Impact
Operation CuckooBees is publicly attributed to APT41 (also known as Winnti), a Chinese state-backed threat group based on tactics, techniques, and procedures (TTPs). The campaign was initially reported and analyzed by Cyberreason researchers in May 2022 as an intellectual property theft operation targeting multiple organizations in Europe, North America, and Asia. The group is known to split efforts between cyberespionage on behalf of the Chinese government and financially motivated attacks against private sector organizations.
Aviation, gaming, manufacturing, and hospitality are among APT41’s most targeted industries. Many RH-ISAC members fall into these categories, and RH-ISAC members have reported indicators of compromise (IOCs) connected to APT41 as recently as May 2022. As such, members are encouraged to maintain awareness of developments in APT41 activity and to ingest the IOCs shared here.
Technical Details
Symantec researchers reported that APT actors remained active on the networks of government organizations targeted in the current wave of activity for more than a year. Symantec researchers did not observe the final payload, but given the overlapping TTPs with past Operation CuckooBees activity, the likely end goal of the activity is intelligence collection.
Spyder Loader is a 64-bit PE DLL, a modified copy of sqlite3[.]dll. Spyder Loader uses AES and ChaCha20 algorithm encryption and cleans up created artifacts by overwriting the content of dropped DLL files before deleting them. Similarities to Operation CuckooBees activity include:
- Use of a modified version of sqlite3.dll
- rundll32[.]exe command-line example seen in Cybereason’s research seems consistent with how the third parameter of malicious export is used in this sample
- Use of the CryptoPP C++ library
Symantec researchers also observed additional malware activity on targeted networks, including modified SQLite DLL files, Mimikatz executions, and trojanized ZLib DLL files
IOCs
Symantec researchers provided the following IOCs:
| Indicator | Type |
| 00634e46b14ba42c12e35a367f1c7a616fb8e8754ebb2e24ae936377a3ee544a | SHA256 |
| 033313b31fbea64a1a0a53b38c74236f7af2e49018faa2be6c036427c456ef6d | SHA256 |
| 06ed28c4ae295dec0bd692cd7fcecb5fa9de644968d281f5e4bf48eb72bc4b63 | SHA256 |
| 091e3e806b6d66cf1eccbd57a787eec65df5f07ad88118c576b3ae06c08af744 | SHA256 |
| 0cdbde55b23b26efd5c4503473bd673e3e5a75eae375bae866b6541edb8fcc84 | SHA256 |
| 181a25cbcd050c1b42839a5d32df4f59055e27377e71eaa3eb9230a43667f075 | SHA256 |
| 228784cc7dad998f1f8b7395bf758827eff9b27762a7056d9e8832bb8a029aad | SHA256 |
| 260d54c2fcf725a8b6d030c36ca26f65ba3d01f707fa0e841cac0166d06218c0 | SHA256 |
| 2879253c8c8dd3ee53525c81801d813594bb657ad4f7478ba4288112f0315c9e | SHA256 |
| 2da683d54f12d83f0f111b5c57f7f78016cad5860b2604d38b2aba37ab3d5c55 | SHA256 |
| 3196e74004816227323d6864448361fb173b3c96cf3d1b0aa26dfcd259a61505 | SHA256 |
| 33aa5df5470ae59cd30c7ea4c2ad1e13901a8fd13ea6b4b5584d10ffdba31ee4 | SHA256 |
| 396e35b2a4f920182d3148c834cf70f00b6094600e51e030d6fc297cb0ca5c06 | SHA256 |
| 3b3df3ada05e521ec8ce2f0deaeb6fd4359a2de9cadb0dd51c0d9d7a835473a4 | SHA256 |
| 3d96132412d8587849aa5dfd35c968755b30a08b100ec42eb810ff1f042e9fd0 | SHA256 |
| 3e10500c3779e56d2daa05da920d014becf33597f5ccb67c069320c5c43d40d2 | SHA256 |
| 4164cfc533621e37c8ad910f29d4afa92d0180c1697b7970746243574029a1f1 | SHA256 |
| 417a65be8ef81cb36021dbe56b07bf5dd65b7355e61b7a94bc988aaa335b22da | SHA256 |
| 4221362bba10aedbb2d09729567d090f543c5de8543ec55ca4a6516815202064 | SHA256 |
| 438dddd93333ccfce4499558c92b20341166a134a8451ffc60ebf6ec5e0890dc | SHA256 |
| 48658c800b724197cb91cbfd064df060221bc72bd77301707cb30b2f7c2b81fb | SHA256 |
| 4a9cd0c32d6992077d3140917928f1b931bb2bf28e88f0dd8e4c92cd5d9cbe00 | SHA256 |
| 4bc3a4e4d74b81acf19621da7c8304527fff954747ab3393b78e0758306b3fa6 | SHA256 |
| 4d8784b957d826acc00e5a87d7317bbaeb63c7f9f86a5f446a41a5a355de437e | SHA256 |
| 4dfae8301a9284eea4e975476ceaa652d5d3c799879dec7c5c9e18bbc2930885 | SHA256 |
| 54bcd44d4606e0fdb1b7c2110684f429f9e234269d213ddb60c9665e7b8679c7 | SHA256 |
| 551794bd7c66fb064d81230161b25ed81a714aa9377f2a9a1af69626dc99d385 | SHA256 |
| 5bf03354d708d3c87e82a50d3f4c948fc8c6e8186537b0463edafd9546b51333 | SHA256 |
| 5cf6bca323851a509120399a975edc759a9d2c5c21aff18ee6cae506b0f93d67 | SHA256 |
| 5deab41977d5d6217b3e35cfab81015d83f270650ccc170dfb948e55e92478dd | SHA256 |
| 5f477c03a689b4aeed28dcb2f8bab3dfa7fc834223062f16eddb5426c2cfa2e6 | SHA256 |
| 6741a9ea57e38d1e9d6014bd191b0ac517d2bfa2d79cb091c64fb8011c8521d3 | SHA256 |
| 69d927abbacdfcdcad0a1d878e8c0a8543a940a101447b9127365034f7a2d773 | SHA256 |
| 6d07ce2ca82489599ae609c6ed18f587059ed5cf2d32a513c5ea6d35861695e9 | SHA256 |
| 6d689996a8721f8417de46d645dc6b66b261afdf8ee30b4a0853ff94ec87d3b0 | SHA256 |
| 72424e99c1814a1d741508c198eac3e3e84626ce39d961c014718e7f8abb6fe5 | SHA256 |
| 7443e17e80dec2db6cfffc0a272fd8a27b2a98a42ffc15fb9065c072dc5904f7 | SHA256 |
| 74ff4db3af082d73dcba597cacfd4cae64e00c68169a64be2f3715a0f06535ae | SHA256 |
| 7ccb9cdaff8c6c7785ee1422aa70723c976f62795593b02fbf0923f09c6b647d | SHA256 |
| 7ecd5ec38db31cfb7146ac684eb75912e418c3fbb69a2562478b5fce2ae2c615 | SHA256 |
| 8344fcc55534f0b0e08f48f44607771d7cfad130f749ddcc434ffc6fd9012eaa | SHA256 |
| 8535a6e49afa4057e504fa8f4a21a06f535f51bbafff0631c662d7ade5aabfb9 | SHA256 |
| 8648bb183abf8aa2111f4d98ecc386e5bcdfa614033efdd124d61ee155261a13 | SHA256 |
| 86a45d92282ed3c4f82687eb1d6cfa6a906d6fc5033014bdc6c57da07db1b1b2 | SHA256 |
| 892c1f324fa5c2370b06dedf691bd60fa0aa70a4bd6502b9c615cdcd3d5e698a | SHA256 |
| 8a42bee7190e23f76e46e66f9194c33f33a60903a28d267acebf4fd8dead15e8 | SHA256 |
| 8a8109f2af10898cdf7259467d18410f2b61a89d5f0d7031b5e45e1bd3b8678a | SHA256 |
| 8eeba9d12cd01b8eb245c76ff16e34eb0455001243fcf1889f28655e55c1d1ed | SHA256 |
| 8fe7cc990ffaf4f156c0868b41e1e92d09c1270e11b96c7320498e0390cc93c6 | SHA256 |
| 9138916b9630c81a0b7b6597f4be72ca46c7e3dc1e6fd89d14ddb12f1deb7fdc | SHA256 |
| 95bc468f50483f337d3ef6e1c5d1765beffee4db9c057d6e49713b3a099b2eef | SHA256 |
| 96e22da2b69f599cba297a9aafc971a09c99433bf7f51ec37446c34ed3701d12 | SHA256 |
| 9b114bfec2561e76fd8d0c9b31633c2089abec8f3a99c297f0f6416838567452 | SHA256 |
| 9b7d8827685b71e92438355872f10c2364d7e3a3811df884eb41e371bcda8f6d | SHA256 |
| 9daa43c1204184634b9833718155404d6c0366fcdd524f945eacfc3e5760c116 | SHA256 |
| a43c9dbfd2a9c1a065eb7a9212f2125ea6e6a73256081bc2deacd50913162a6a | SHA256 |
| a7f291bde213d9eb4fa60fb3517a6ec6fb7a057457534afe895c1684db0ba21d | SHA256 |
| b02c10d8a83857352c99f09548397bf8e0ee0548b8e050e138b82eb08b98e938 | SHA256 |
| b13bc2986f098580e2432dac7004a9dca2254c6756dafa3b7f67aff743ee060f | SHA256 |
| b382824cbb11c60da6c733855c825dcbdf2bbfb8104a517d27af56b56625ba9f | SHA256 |
| b4703af681c75d2d16c555f008bc4308a4d03767ceed55c02d1a892341444304 | SHA256 |
| b4841104c663f4f013b467220d576035fd2187a92c84451709abff47c8fb162e | SHA256 |
| b4cdc814f1536264cc5e469cebcbf351ee9d1b9620248bc0a6b14725fe38d5a0 | SHA256 |
| b82a19a06270f37e3b12047a1382796678895fe1c58a9ef799cf5250f6c96dcf | SHA256 |
| c01f402b942502889aa854326405b29a4d33947547074fbb9eab7c4c4a896d77 | SHA256 |
| c276300d47daff9cc1e486e4ea3d776d82fa9b3f8161eccfe49fc3218afdfbe9 | SHA256 |
| c3d41387bcc9c9f2d9858b1286ed51369a06ed12abe7623344a31a0e0f18f36a | SHA256 |
| c57236c2e7fe84334d5bdef6420cbf121ab9f918f5d8e4323d7055b12947abb6 | SHA256 |
| c862f2cdbf817f6d7c5568a4af2d8766a30719297e31a71620503e50176fceb2 | SHA256 |
| ccaa5186451c0658b6294f5d8a78b3ec02505164c1ddec2b418259564cd7b23b | SHA256 |
| cd5a53fc5bb675b47bb4055d8f3e4c45902a8245df2300ccf03d7da6464add78 | SHA256 |
| cdaaf781557e85582dd42ff6a58ecbbb68a7cb2e0dc7c7aa49b1d5df5391330b | SHA256 |
| d06730e1d07491a70b4b18b52e8f35c92509b5049239e3794a6be73ce160e2c0 | SHA256 |
| d2939897865906fb339e878f620f928bff36c7dead15bb6ed94f7a9df16300e9 | SHA256 |
| d3a163a7313629cc380b9405aafb847247d2a256ae48b60bffd0bfbe3082c19c | SHA256 |
| d76e32647c3890100fe994a9a0f84a3e6957af08195366e86299e4033c2551f1 | SHA256 |
| dbc60a4878ae9f1a2184c44837db9968a157f2008a16e3a350909a598f918dd9 | SHA256 |
| dc4218b67f99196fb5d71c4bd5ce762e9b8950d8206e198a755650c5e6d17fd0 | SHA256 |
| dc647ce87c62b0ac76530362694d1dafdca5ca414e5abb18c324dfd24f0e9644 | SHA256 |
| deb0e05adad48b90a534beabe2ef4261d2a864112945907fbd2d020b90f24507 | SHA256 |
| e1af76d84f98eb4cd7af04d35030e37ffaa8120a7d048fafe0cbcb2a7f86c460 | SHA256 |
| e3b82ac4870a2ae86dfe88cf7ecf9bc0dc6ed653af0ad1aaa20194cae8aff411 | SHA256 |
| e4f4b3a554c8a0fd693201333e8d634f8ef1fa4ca4445ca556492bb9d0d486c4 | SHA256 |
| ef24840ccde8c7547b3329c7854fdd22d2178c7ad7f931303da2e6eacbf16d1c | SHA256 |
| f17278d4eaafff971864c02efdc0e4435defad96e7f5203e580a4e32c64681d8 | SHA256 |
| f8ebd94779851fbeca029db4ae938457c7ccf4e010b09f025ea5394b715b1838 | SHA256 |
| f90dc76a9500ee2bb3380d5f4589289ec7ffa647be4262ee7674d37ce02283b7 | SHA256 |
| 5d868bfbfc767515c35ced7b0da36f41ed4728914ba081f132a9d9c54564ebf0 | SHA256 |
