Winnti APT Group targeted Hong Kong Universities

Winnti Group has compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019.

Hackers from the China-linked Winnti group have compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019.

Researchers from ESET discovered the attacks in November 2019 when they spotted the ShadowPad launcher malware samples on multiple devices at the two universities. The launchers were discovered two weeks after Winnti malware infections were detected in October 2019.

“In November 2019, we discovered a new campaign run by the Winnti Group against two Hong Kong universities. We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules.” reads the analysis published by ESET. “The Winnti malware was also found at these universities a few weeks prior to ShadowPad.”

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

Experts discovered samples from both ShadowPad and Winnti at the universities that were containing campaign identifiers and C&C URLs with the names of the universities, a circumstance that indicates a highly targeted attack.

“One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.” continues the report.

“From this format, we were able to find several C&C URLs, including three additional Hong Kong universities’ names. The campaign identifiers found in the samples we’ve analyzed match the subdomain part of the C&C server, showing that these samples were really targeted against these universities.”

One can observe that the C&C URL used by both Winnti and ShadowPad complies to the scheme [backdoor_type][target_name].domain.tld:443 where [backdoor_type] is a single letter which is either “w” in the case of the Winnti malware or “b” in the case of ShadowPad.

Analyzing the C&C URL format experts determined that hackers targeted three additional Hong Kong universities. 

The ShadowPad multi-modular backdoor employed in the attacks against the Hong Kong universities was referencing 17 modules focused on info-stealing that were used to collect information from infected systems.

“In contrast, the variants we described in our white paper didn’t even have that module embedded.” continues the report.

Unlike previous variants of the ShadowPad backdoor detailed in ESET white paper on the arsenal of the Winnti Group, this launcher is not obfuscated using VMProtect, instead it used XOR-encryption rather than the typical RC5 key block encryption algorithm.

Other technical details are reported in the ESET’s analysis, including Indicators of Compromise (IoCs).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.