Amid student protests, Winnti Group targets Hong Kong universities, ESET discovers

BRATISLAVA, MONTREAL – ESET researchers have recently discovered a new campaign by the Winnti group. This time, Hong Kong universities were the desired target. ESET’s machine-learning engine detected a unique, malicious sample on multiple computers belonging to two Hong Kong universities. In addition to the two confirmed compromised universities, ESET has indications that at least three additional universities may have been affected. The attackers were interested in stealing information from the victims’ machines. This campaign of the Winnti Group was taking place as widespread civic protests swept Hong Kong, including the territory’s universities.

The latest research into Winnti Group, previously responsible for high-profile supply-chain attacks against the video game and software development industry as well as attacks against healthcare and education sectors, confirms that the group is still using its flagship ShadowPad backdoors. However, in the campaign against Hong Kong universities, ShadowPad’s launcher was replaced with a new and simpler version detected by ESET products as Win32/Shadowpad.C.

“Both ShadowPad and Winnti, found at these universities in November 2019, contain campaign identifiers and command & control URLs matching the name of the universities, which indicates a targeted attack,” says Mathieu Tartare, leading ESET researcher into the Winnti Group.

“ShadowPad is a multi-modular backdoor and, by default, every keystroke is recorded using the Keylogger module. The use of this module by default indicates that the attackers are interested in stealing information from the victims’ machines. In contrast, the variants we described in our earlier whitepaper didn’t even have that module embedded,” elaborates Tartare on the discovery.

For more technical details about the latest discovery into the Winnti Group, read the blog post Winnti Group targeting universities in Hong Kong on WeLiveSecurity.com. ESET researchers recently published a whitepaper updating our understanding of the arsenal of the Winnti Group as well. Make sure to follow ESET research on Twitter for the latest news from ESET Research. 



About Version 2 Limited

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About ESET

Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, antivirus software system, NOD32, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. ESET NOD32 offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100 Awards than any other antivirus product. ESET was named to Deloitte’s Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, U.K.; Buenos Aires, AR; Prague, CZ; San Diego, USA; and is represented worldwide in more than 100 countries.