ShadowPad Backdoor Used in Attacks on Hong Kong Universities

Delaware, USA – February 3, 2020 – Chinese cyberspies did not disregard the protests in Hong Kong and conducted a highly targeted cyber espionage campaign. The adversaries targeted five universities that were infected with a ‘refreshed’ version of ShadowPad malware. In November 2019, ESET detected malware on multiple systems of two Hong Kong universities that were infected with Winnti group tools during the previous month. Researchers have discovered a new launcher and “embedding numerous modules”. All detected malware samples contained campaign identifiers and C&C URLs with the names of the universities, which confirmed the infection of at least three other Hong Kong universities. The ShadowPad launcher for this campaign has been greatly simplified: it uses XOR-encryption instead of RC5 key block encryption algorithm and it isn’t obfuscated with VMProtect.

ShadowPad backdoor has a modular structure, and attackers for each campaign compile malware samples with the necessary modules. Researchers found record-breaking 17 modules in the analyzed sample including previously unseen ‘RecentFiles’ module, which lists recently accessed files. Recall that the Chinese APT groups recently compromised Mitsubishi Electric and stole about 200 MB of sensitive data. Also, Japanese electronics and IT company NEC Corp confirmed a data breach that took place in December 2016: Chinese state-sponsored actors stole 27,445 files from its defense business division. You can check the MITRE ATT&CK section at Threat Detection Marketplace to learn more about techniques used by the group and find relevant content to secure your organization: