ESET researchers have discovered a new campaign launched by the notorious Chinese state hacking group known as “Winnti”. The targets of this new series of attacks are two Hong Kong universities (and possibly also another three), and the time of the detection coincides with the time the Hong Kong protests began. Based on the method of the attacks and the tools that were used, the researchers deduced that Winnti was trying to exfiltrate data from the compromised systems, and not to cause any disruptive damage.
More specifically, the Winnti Group actors have deployed a new variant of the “ShadowPad”, which is one of their custom backdoors. This malware is capable of taking screenshots, conducting keylogging, parsing local files, and stealing browsing data and communications. For some reason, Winnti decided to replace their payload at some point, and use one that wasn’t obfuscated using VMProtect. This new payload was also missing the RC5 encryption that is typically present in Winnti’s tools. The 32-bit launcher of the ShadowPad is named “hpqhvsei.dll”, and it is used as a side-loading element when the victims launch the ‘HP Digital Imaging’ app which controls HP printers.
Source: WeLiveSecurity
Once the payload has established its presence on the infected machine, it is decrypted via an XOR loop, and then a shellcode execution foll ..
Support the originator by clicking the read the rest link below.
