Chinese HUI Loader malware ups the ante on espionage attacks

A state-sponsored piece of malware may become a favorite weapon for Beijing-backed hacking crews looking to lift intellectual property from foreign firms.

A well-known piece of espionage malware underscores the threat foreign companies face from Chinese state-sponsored hacking crews.

Known as HUI Loader, the malware has been active for more than seven years but has only recently been linked to multiple state-sponsored groups coming out of China.

The HUI Loader malware can now be connected to a pair of malware operations that use the threat of ransomware as a façade to steal intellectual property from targets, according to researchers with the Secureworks Counter Threat Unit (CTU).

Operating as a DLL loader attack, HUI Loader conceals itself within an otherwise harmless executable file spread via spam, phishing or a software vulnerability exploit. The malware itself dates back to 2015 and has been connected to multiple hacking campaigns attributed to China-based groups.

Once installed and running in memory, the HUI Loader tool pulls up the malware responsible for doing the dirty work of copying, uploading, and encrypting data on the host system. Some of this is conducted via a Cobalt Strike payload and the rest is done via proprietary malware packages, Secureworks CTU reported.

Ultimately, the aim of the attack is to lift intellectual property from the target under the guise of a malware attack. This would offer the Chinese government some degree of deniability for stealing sensitive data as admins are left thinking they're the targets of common cybercriminals.

For most network admins and defenders, this is nothing new or noteworthy. However, when pulling back a bit from the attacks, Secureworks' researchers noticed a pattern that could link the intellectual property attacks to groups organized and managed by Beijing.

"Distribution and sharing of malware that have been developed by individuals linked to Chinese intelligence agencies is common among Chinese threat groups," Marc Burnard, senior consultant information security research for Secureworks told SearchSecurity.

One of the most prominent campaigns to use the HUI-Loader tool was A41APT, an attack that can be traced to a hacking crew referred to as Bronze Starlight. That operation has direct links to China's Ministry of State Security (MSS).

Threat groups based in China are known to adopt offensive security tools developed by independent researchers both within and outside of the country, Burnard said.

"Sometimes these tools are only shared within closed forums," Burnard said. "However, given the earliest use of the HUI Loader is exclusively linked to Chinese state-sponsored espionage threat groups such as 'Bronze Riverside,' it is plausible that the HUI Loader could have been developed by individuals working for an intelligence unit of the PLA [People's Liberation Army] or MSS."

While the majority of attacks have been limited to Japanese companies, enterprises in the U.S. and Europe should update their software and make sure users are vigilant about common phishing and social engineering attacks and methods, according to best practices.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing