Amid student protests, Winnti Group targets Hong Kong universities, ESET discovers

BRATISLAVA, MONTREAL – ESET researchers have recently discovered a new campaign by the Winnti group. This time, Hong Kong universities were the desired target. ESET’s machine-learning engine detected a unique, malicious sample on multiple computers belonging to two Hong Kong universities. In addition to the two confirmed compromised universities, ESET has indications that at least three additional universities may have been affected. The attackers were interested in stealing information from the victims’ machines. This campaign of the Winnti Group was taking place as widespread civic protests swept Hong Kong, including the territory’s universities.

The latest research into Winnti Group, previously responsible for high-profile supply-chain attacks against the video game and software development industry as well as attacks against healthcare and education sectors, confirms that the group is still using its flagship ShadowPad backdoors. However, in the campaign against Hong Kong universities, ShadowPad’s launcher was replaced with a new and simpler version detected by ESET products as Win32/Shadowpad.C.

“Both ShadowPad and Winnti, found at these universities in November 2019, contain campaign identifiers and command & control URLs matching the name of the universities, which indicates a targeted attack,” says Mathieu Tartare, leading ESET researcher into the Winnti Group.

“ShadowPad is a multi-modular backdoor and, by default, every keystroke is recorded using the Keylogger module. The use of this module by default indicates that the attackers are interested in stealing information from the victims’ machines. In contrast, the variants we described in our earlier whitepaper didn’t even have that module embedded,” elaborates Tartare on the discovery.

For more technical details about the latest discovery into the Winnti Group, read the blog post Winnti Group targeting universities in Hong Kong on WeLiveSecurity.com. ESET researchers recently published a whitepaper updating our understanding of the arsenal of the Winnti Group as well. Make sure to follow ESET research on Twitter for the latest news from ESET Research. 





About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.