A new malware tool has been observed to be deployed as part of the still active attack operations tracked as CuckooBees. The hurtful threat is known as the Spyder Loader, and it carries data-collecting capabilities. It must be noted that the Spyder Loader has been used in the past by operations associated with the APT41 (Winnti, Barium, Wicked Panda and Bronze Atlas), but it was a later addition to CuckooBees specifically. Details about the threat and the attack campaign were provided in a report by security researchers.
The APT41 cybercriminal group is considered to be one of the oldest, as it is believed to have been in operation since at least 2007. It also is one of the most active APT (Advanced Persistent Threat) threat groups, with numerous attack campaigns over the years. As for CuckooBee, the operation has been flying mostly under the radar since at least 2019, and it seems to be primarily targeting chosen Hong Kong-based entities.
The Spyder Loader Details
According to the researchers, the Spyder Loader is a sophisticated modular threat. On top of that, the threat has seen multiple updates and continues to be improved by the hackers. The main goal of the threat is to harvest and then exfiltrate sensitive data. The three main types of data that interest the cybercriminals are the breached organization's credentials, customer data and information about its network architecture.
The Spyder Loader is equipped with multiple techniques to prevent analysis, such as using the ChaCha20 algorithm to encrypt and obfuscate its strings. In addition, the threat can be instructed to delete the payload 'wlbsctrl.dll' file and remove additional artifacts that could reveal its actions or presence on the device.