Pierluigi Paganini February 01, 2020

Winnti Group has compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019.

Hackers from the China-linked Winnti group have compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019.

Researchers from ESET discovered the attacks in November 2019 when they spotted the ShadowPad launcher malware samples on multiple devices at the two universities. The launchers were discovered two weeks after Winnti malware infections were detected in October 2019.

“In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules.” reads the analysis published by ESET. “The Winnti malware was also found at these universities a few weeks prior to ShadowPad.”

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, and ShadowPad.

Experts discovered samples from both ShadowPad and Winnti at the universities that were containing campaign identifiers and C&C URLs with the names of the universities, a circumstance that indicates a highly targeted attack.

“One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.” continues the report.

“From this format, we were able to find several C&C URLs, including three additional Hong Kong universities’ names. The campaign identifiers found in the samples we’ve analyzed match the subdomain part of the C&C server, showing that these samples were really targeted against these universities.”

One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.

Analyzing the C&C URL format experts determined that hackers targeted three additional Hong Kong universities. 

The ShadowPad multi-modular backdoor employed in the attacks against the Hong Kong universities was referencing 17 modules focused on info-stealing that were used to collect information from infected systems.

“In contrast, the variants we described in our white paper didn’t even have that module embedded.” continues the report.

Unlike previous variants of the ShadowPad backdoor detailed in ESET white paper on the arsenal of the Winnti Group, this launcher is not obfuscated using VMProtect, instead it used XOR-encryption rather than the typical RC5 key block encryption algorithm.

Other technical details are reported in the ESET’s analysis, including Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]