Researchers have unearthed new activities related to the Operation CuckooBees campaign that first appeared in May. The intelligence-gathering campaign had been running under the radar since 2019, harvesting intellectual property and other sensitive data from victims.
The campaign background
The covert attack campaign, mostly a work of the China-based Winnti APT, was aimed at multiple technology and manufacturing organizations located in North America, Western Europe, and East Asia.
The campaign used different versions of Spyder Loader, PRIVATELOG, and WINNKIT to target organizations.
These malware leveraged the Windows Common Log File System (CLFS) mechanism and NTFS transaction manipulation to evade detection by security products.
The latest update
In a fresh update, Symantec researchers revealed that the campaign has been targeting organizations in Hong Kong. The attackers maintained their persistence on the networks of some government organizations for more than a year.
Campaign details
Hackers were seen dropping the Spyder Loader malware on victims’ networks, indicating the activity likely to be a part of the Operation CuckooBees campaign.
The malware is capable of collecting information about corrupted devices, executing malicious payloads, coordinating script execution, and C2 server communication.
Furthermore, the attackers used post-exploitation tools such as Mimikatz and a trojanized SQLite DLL module that is capable of receiving commands from a remote server or loading an arbitrary payload.
While the final payload delivered in this campaign remains unknown, researchers indicate that the motive of the campaign is linked to intelligence gathering based on tactical overlaps with previous attacks.
Summing up
The fact that the campaign has been ongoing for several years with different versions of Spyder Loader malware highlights that the bad actors are continuously evolving their evasion techniques to carry out stealthy operations. Therefore, organizations must keep up with threats to stay protected from such attacks.