The China-linked threat group tracked as Winnti was observed using a new variant of the ShadowPad backdoor in recent attacks targeting Hong Kong universities, ESET’s security researchers report.
Believed to have been active since at least 2009, the Winnti Group is operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, targeting the aviation, gaming, pharmaceuticals, technology, telecommunication, and software development sectors in industrial cyber-espionage campaigns.
In October last year, ESET detailed two new backdoors employed by the hackers, namely PortReuse and the Microsoft SQL-targeting skip-2.0.
One month later, the security researchers discovered a new campaign run by the Chinese hackers, targeting two Hong Kong universities with a new variant of the ShadowPad backdoor, the group’s flagship tool.
A few weeks prior to discovering the backdoor, the Winnti malware was found on computers at these universities.
Campaign identifiers and command and control (C&C) URLs used in these malware samples featured the names of the universities, suggesting a targeted attack. Moreover, the C&C URL format used led the researchers to believe that at least three other Hong Kong universities may have been compromised.
Responding to a SecurityWeek inquiry, ESET researcher Mathieu Tartare revealed that the company did provide assistance to some of the affected universities in remediating the compromise.
“We helped them remediate the compromise and, from our telemetry, it looks like the threat was properly neutralized. However, some universities we did contact did not reply back with any information. Thus, we have no way to check whether they were actually compromised or not and, if that’s the case, if they still are,” Tartare said.
The new ShadowPad launcher, ESET reveals, is much simpler compared to previously analyzed malware samples used by the Winnti Group, and is likely executed via DLL side-loading.
Persistence is achieved through writing the in-memory patched parent process to disk to a specific path. It uses names similar to that of a Microsoft .NET optimization service to avoid suspicion.
The ShadowPad backdoor embeds 17 modules, including an initial shellcode, modules loader, persistence module, several communications modules, a user impersonation module, process and service handlers, keylogger, screenshot capturer, and modules for registry, file system, and command line operations.
ESET also identified a previously undocumented module, called RecentFiles and, as its name suggests, designed to provide a list of recently accessed files.
Based on the observed timestamps, the security researchers believe that the modules were compiled on October 24, several hours before the launcher itself and only a few weeks before the campaign was launched.
Once up and running on a compromised system, ShadowPad starts a hidden and suspended Microsoft Windows Media Player (wmplayer.exe) process and injects itself into it. Next, the malware contacts the C&C server using the URL specified in the configuration — both ShadowPad and Winnti malware samples discovered on machines at the targeted universities at the end of October used similar URLs.
“That these samples, in addition to having been found at these universities, contain campaign IDs matching the universities’ names and use C&C URLs containing the universities’ names are good indications that this campaign is highly targeted,” ESET concludes.
Related: New Winnti Backdoor Targets Microsoft SQL
Related: Researchers Find New Backdoor Used by Winnti Hackers