was first documented in May 2022 by researchers at Cybereason, who said the intelligence-gathering campaign had been operating under the radar since at least 2019, stealing intellectual property and other sensitive data from victims.
In the attacks observed by Symantec, the attackers remained active on some networks for more than a year. We saw the Spyder Loader (Trojan.Spyload) malware deployed on victim networks, indicating this activity is likely part of that ongoing campaign. While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection.
Background to Operation CuckooBees
The Spyder Loader malware was first discussed publicly in a March 2021 blog by SonicWall, with the researchers saying at the time that the malware was “being used for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication.”
These initial findings were expanded on substantially in a detailed Cybereason investigation published in May 2022, which detailed a long-running campaign that the researchers dubbed Operation CuckooBees. They said that this campaign had been ongoing since at least 2019. The researchers said that the attackers exfiltrated hundreds of gigabytes of information and that they “targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data.” They also stole data that could be leveraged for use in future cyber attacks — such as credentials, customer data, and information about network architecture.
Among the tools used in that campaign was the Spyder Loader malware, which is what was also observed in the activity seen by Symantec researchers.
Spyder Loader – Technical Details
The loader sample analyzed by Symantec researchers is compiled as a 64-bit PE DLL.
It is a modified copy of sqlite3.dll, with the following malicious export added:
- sqlite3_prepare_v4
The sqlite3_prepare_v4 export expects a string as its third argument. Reportedly, whenever an export is executed by rundll32.exe, the third argument of the called export should contain part of the process command-line. When this loader is executed, it extracts the file name from its third argument, and the referred file is expected to contain a sequence of records. Each record has the following structure: