ShadowPad Malware is Becoming a Favorite Choice of Chinese Espionage Groups

News

ShadowPad, an infamous Windows backdoor that allows attackers to download further malicious modules or steal data, has been put to use by five different Chinese threat clusters since 2017.

“The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors,” SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said in a detailed overview of the malware, adding “some threat groups stopped developing their own backdoors after they gained access to ShadowPad.”

The American cybersecurity firm dubbed ShadowPad a “masterpiece of privately sold malware in Chinese espionage.”

Stack Overflow Teams

A successor to PlugX and a modular malware platform since 2015, ShadowPad catapulted to widespread attention in the wake of supply chain incidents targeting NetSarang, CCleaner, and ASUS, leading the operators to shift tactics and update their defensive measures with advanced anti-detection and persistence techniques.

ShadowPad malware

More recently, attacks involving ShadowPad have singled out organizations in Hong Kong as well as critical infrastructure in India, Pakistan, and other Central Asian countries. Although primarily attributed to APT41, the implant is known to be shared among several Chinese espionage actors such as Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger.

“[The threat actor behind Fishmonger is] now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike,” the researchers said. “The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S.”

Prevent Data Breaches

The malware functions by decrypting and loading a Root plugin in memory, which takes care of loading other embedded modules during runtime, in addition to dynamically deploying additional plugins from a remote command-and-control (C2) server, enabling adversaries to incorporate extra functionality not built into the malware by default. At least 22 unique plugins have been identified to date.

The infected machines, for their part, are commandeered by a Delphi-based controller that’s used for backdoor communications, updating the C2 infrastructure, and managing the plugins.

Interestingly, the feature set made available to ShadowPad users is not only tightly controlled by its seller, each plugin is sold separately instead of offering a full bundle containing all of the modules, with most samples — out of about 100 — embedded with less than nine plugins.

“The emergence of ShadowPad, a privately sold, well-developed and functional backdoor, offers threat actors a good opportunity to move away from self-developed backdoors,” the researchers said. “While it is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development.”

Products You May Like

Articles You May Like

NVIDIA Container Toolkit Vulnerability Exposes AI Systems to Risk
Why system resilience should mainly be the job of the OS, not just third-party applications
Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
How to Get Going with CTEM When You Don’t Know Where to Start
Litespeed Cache Plugin Flaw Allows XSS Attack, Update Now

Leave a Reply

Your email address will not be published. Required fields are marked *