Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Hackers Target Hong Kong Universities With New Backdoor Variant

The China-linked threat group tracked as Winnti was observed using a new variant of the ShadowPad backdoor in recent attacks targeting Hong Kong universities, ESET’s security researchers report.

The China-linked threat group tracked as Winnti was observed using a new variant of the ShadowPad backdoor in recent attacks targeting Hong Kong universities, ESET’s security researchers report.

Believed to have been active since at least 2009, the Winnti Group is operating under the same umbrella as Axiom, Barium, Group 72, Blackfly, and APT41, targeting the aviation, gaming, pharmaceuticals, technology, telecommunication, and software development sectors in industrial cyber-espionage campaigns.

In October last year, ESET detailed two new backdoors employed by the hackers, namely PortReuse and the Microsoft SQL-targeting skip-2.0.

One month later, the security researchers discovered a new campaign run by the Chinese hackers, targeting two Hong Kong universities with a new variant of the ShadowPad backdoor, the group’s flagship tool.

A few weeks prior to discovering the backdoor, the Winnti malware was found on computers at these universities.

Campaign identifiers and command and control (C&C) URLs used in these malware samples featured the names of the universities, suggesting a targeted attack. Moreover, the C&C URL format used led the researchers to believe that at least three other Hong Kong universities may have been compromised.

Responding to a SecurityWeek inquiry, ESET researcher Mathieu Tartare revealed that the company did provide assistance to some of the affected universities in remediating the compromise.

“We helped them remediate the compromise and, from our telemetry, it looks like the threat was properly neutralized. However, some universities we did contact did not reply back with any information. Thus, we have no way to check whether they were actually compromised or not and, if that’s the case, if they still are,” Tartare said.

The new ShadowPad launcher, ESET reveals, is much simpler compared to previously analyzed malware samples used by the Winnti Group, and is likely executed via DLL side-loading.

Persistence is achieved through writing the in-memory patched parent process to disk to a specific path. It uses names similar to that of a Microsoft .NET optimization service to avoid suspicion.

The ShadowPad backdoor embeds 17 modules, including an initial shellcode, modules loader, persistence module, several communications modules, a user impersonation module, process and service handlers, keylogger, screenshot capturer, and modules for registry, file system, and command line operations.

ESET also identified a previously undocumented module, called RecentFiles and, as its name suggests, designed to provide a list of recently accessed files.

Based on the observed timestamps, the security researchers believe that the modules were compiled on October 24, several hours before the launcher itself and only a few weeks before the campaign was launched.

Once up and running on a compromised system, ShadowPad starts a hidden and suspended Microsoft Windows Media Player (wmplayer.exe) process and injects itself into it. Next, the malware contacts the C&C server using the URL specified in the configuration — both ShadowPad and Winnti malware samples discovered on machines at the targeted universities at the end of October used similar URLs.

“That these samples, in addition to having been found at these universities, contain campaign IDs matching the universities’ names and use C&C URLs containing the universities’ names are good indications that this campaign is highly targeted,” ESET concludes.

Related: New Winnti Backdoor Targets Microsoft SQL

Related: Researchers Find New Backdoor Used by Winnti Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.