Security researchers tie the Spyder Loader (Trojan.Spyload) to a long-running intelligence-gathering operation called Operation CuckooBees, active since at least 2019 and targeting intellectual property. The loader is a 64-bit PE DLL derived from sqlite3.dll, invoked via rundll32 for C2 communication and data exfiltration, with Symantec detailing extensive IOCs and activity observed in Hong Kong campaigns. #SpyderLoader #CuckooBees
Keypoints
- The Spyder Loader is linked to Operation CuckooBees, a long-running intelligence-gathering campaign first discussed publicly by SonicWall and later expanded by Cybereason.
- The campaign targeted intellectual property and other sensitive data, including documents, blueprints, diagrams, formulas, and manufacturing-related data.
- Attacker activity included exfiltrating hundreds of gigabytes of information and collecting data that could support future cyber attacks, such as credentials and network details.
- The loader is a 64-bit PE DLL, a modified copy of sqlite3.dll with a malicious sqlite3_prepare_v4 export, and it relies on rundll32.exe for execution.
- During execution, the loader parses a file referenced by the third argument to extract records for processing and exfiltration.
- Symantec provides a large set of IOCs (SHA-256 hashes) associated with Spyder Loader activity, underscoring the campaignβs recurring presence on victim networks.
MITRE Techniques
- [T1218.011] Rundll32 β The loader is executed via rundll32.exe to call the malicious sqlite3_prepare_v4 export. Quote: βWhenever an export is executed by rundll32.exe, the third argument of the called export should contain part of the process command-line.β
- [T1119] Collection β Targeted intellectual property and other sensitive data including documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data. Quote: βtargeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.β
- [T1041] Exfiltration Over C2 Channel β Exfiltration of large volumes of data to external infrastructure. Quote: βthey exfiltrated hundreds of gigabytes of information.β
- [T1071.001] Web Protocols β C2 server communication and coordination of script execution. Quote: βcoordinating script execution, and C&C server communication.β
Indicators of Compromise
- [SHA-256 Hash] Spyder Loader IOCs β 00634e46b14ba42c12e35a367f1c7a616fb8e8754ebb2e24ae936377a3ee544a, 033313b31fbea64a1a0a53b38c74236f7af2e49018faa2be6c036427c456ef6d and 2 more hashes