Spyder Loader Malware Deployed Against Hong Kong Organizations

The Spyder Loader malware has been observed targeting government organizations in Hong Kong, likely as part of a campaign called Operation CuckooBees.

As described in a new advisory by security researchers at Symantec earlier today, the campaign was first discussed publicly in a March 2021 blog by SonicWall, then further analyzed in May 2022 by Cybereason, who said the threat actors were active at least from 2019.

Now, Symantec has revealed that the victims recently observed in the activity seen by its security team were government organizations in Hong Kong, with the attackers remaining active on some networks for more than a year.

“We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign,” reads the Symantec advisory.

Further, the cybersecurity experts have said they saw other malware samples that carried out different activities on victim networks as part of Operation CuckooBees. These included a modified SQLite dynamic-link library (DLL) that created a malicious service, the Mimikatz exploit and a Trojanized ZLib DLL with multiple malicious exports.

“While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware, it seems likely the ultimate goal of this activity was intelligence collection,” Symantec wrote.

According to the company, the fact that this campaign has been ongoing for several years and includes different variants of the Spyder Loader malware indicates that the actors behind this activity are persistent adversaries with the technical ability to carry out stealthy operations on victim networks over a long period of time. 

“Companies that hold valuable intellectual property should ensure that they have taken all reasonable steps to keep their networks protected from this kind of activity,” Symantec warned.

The advisory contains a list of indicators of compromise (IOCs) regarding Operation CuckooBees and a link to the Symantec Protection Bulletin for additional information about the threats connected with it.

The campaign is not the first one targeting entities in Hong Kong in recent times and comes weeks after ESET published an advisory describing a Linux variant of the SideWalk backdoor used by the SparklingGoblin group to target a Hong Kong university in February 2021.

What’s Hot on Infosecurity Magazine?