Winnti: Researchers at ESET discovered a new campaign by the Winnti Group in November that targeted two universities in Hong Kong. A few weeks after finding the Winnti malware, an updated version of their “ShadowPad” backdoor was also discovered.
MITRE describes the Winnti Group as a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.
While analyzing the new version of ShadowPad, ESET discovered campaign identifiers and names of universities in the C2 (command and control) URLs. This led them to believe at least three more universities had been infected by the Winnti Group. Previous versions of ShadowPad took numerous steps to protect itself against analysis including encryption, alternate data streams (ADS) and VMProtect, none of which seemed to be used this time. For persistence, a legitimate application from HP is dropped with ShadowPad and patched at runtime by the malware. Once patched, it is saved to disk and a Windows service is created to launch it. Both the file path and service name are set in an obfuscated list of strings in the malware’s configuration. To communicate, ShadowPad grabs the C2 URL and the name of a process to inject into from its configuration. Once it contacts the C2, it will update Windows firewall rules to allow incoming connections.