Winnti: Researchers at ESET discovered a new campaign by the Winnti Group in November that targeted two universities in Hong Kong. A few weeks after finding the Winnti malware, an updated version of their “ShadowPad” backdoor was also discovered.
MITRE describes the Winnti Group as a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.
While analyzing the new version of ShadowPad, ESET discovered campaign identifiers and names of universities in the C2 (command and control) URLs. This led them to believe at least three more universities had been infected by the Winnti Group. Previous versions of ShadowPad took numerous steps to protect itself against analysis including encryption, alternate data streams (ADS) and VMProtect, none of which seemed to be used this time. For persistence, a legitimate application from HP is dropped with ShadowPad and patched at runtime by the malware. Once patched, it is saved to disk and a Windows service is created to launch it. Both the file path and service name are set in an obfuscated list of strings in the malware’s configuration. To communicate, ShadowPad grabs the C2 URL and the name of a process to inject into from its configuration. Once it contacts the C2, it will update Windows firewall rules to allow incoming connections.
Analyst Notes
Detecting potential attacker behaviors such as programs that change Windows firewall rules to allow incoming connections and new services being installed is crucial for identifying advanced threats. Since these behaviors are not always malicious, it is important for skilled analysts to investigate unexpected changes to determine whether they represent a threat when considered in context. Always keep anti-virus solutions up-to-date. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Using an EDR solution or an MDR (managed detection and response) can help spot threats before they spread too far. Analysts at the Binary Defense Security Operations Center detect threats on our clients’ workstations and servers 24-hours a day and respond quickly to contain infections, preventing minor incidents from becoming a source of major damage across the company.
Source: https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/, https://attack.mitre.org/groups/G0044/
