Winnti hacking group attacked Hong Kong universities

Winnti attacked Hong Kong universities

ESET experts found that during protests that began back in March 2019, Winnti attacked two unnamed Hong Kong universities.

The attacks were detected in November 2019 and began with the discovery of the ShadowPad launcher, which was found on several devices at two universities (shortly after the previous Winnti campaign detected in October of that year).

“We found a new variant of the ShadowPad backdoor, the group’s flagship backdoor, deployed using a new launcher and embedding numerous modules. The Winnti malware was also found at these universities a few weeks prior to ShadowPad”, — write ESET researchers.

The Winnti Group, which has been operating at least since 2012, is responsible for the well-known supply-chain attacks in the video games and software industry, which resulted in the spread of the Trojan program. That time were attacked CCleaner, ASUS LiveUpdate, and several video games. These cybercriminals are also known for endangering various objects in the healthcare and education sectors.

According to information security experts, attacks on Hong Kong universities were targeted, as the Winnti malware and the Shadowpad modular backdoor contained C&C URLs and campaign identifiers directly related to the names of the affected educational institutions.

“In addition to the two compromised universities, thanks to the C&C URL format used by the attackers, we have reasons to think that at least three additional Hong Kong universities may have been compromised using these same ShadowPad and Winnti variants”, – say the researchers.

Experts believe that the ultimate goal of the attackers was definitely collection and theft of data from hacked machines. Therefore, the ShadowPad option, detected on infected devices, had the functions of a keylogger and could take screenshots using the functionality of 2 of the 17 modules that included the malware.

It is also noted that during this campaign, the ShadowPad launcher was replaced with a simpler one that did not use VMProtec obfuscation, but used XOR encryption instead of the RC5 block encryption algorithm.

Winnti Group campaign against Hong Kong universities took place in the context of Hong Kong facing civic protests that started in June 2019 and were triggered by an extradition bill. Even though the bill was withdrawn in October 2019, protests continued, demanding full democracy and investigation of the Hong Kong police. These protests gathered hundreds of thousands of people in the streets with large support from students of Hong Kong universities, leading to multiple university campus occupations by the protesters.

Attacks by government-sponsored hackers, both against their citizens and against foreign companies, became a real problem in 2019. Their number has skyrocketed. Cyber warfare is underway in the world and if you want not to be vulnerable to information threats, use reliable anti-virus software.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *