The ShadowPad malware got here into the highlight in 2017 when it was utilized in two software program supply-chain assaults by a suspected Chinese language state-sponsored hacker group. Since then it has develop into the device of alternative for a number of cyberespionage teams which can be believed to be related to China’s Ministry of State Safety (MSS) and the Folks’s Liberation Military (PLA).
“The malware was probably developed by risk actors affiliated with Bronze Atlas after which shared with MSS and PLA risk teams round 2019,” researchers from safety agency Secureworks stated in a brand new report. “Given the vary of teams leveraging ShadowPad, all organizations which can be probably targets for Chinese language risk teams ought to monitor for TTPs related to this malware.”
Who’s Bronze Atlas?
Bronze Atlas is the alias utilized by Secureworks for a Chinese language cyberespionage group that has been lively since at the very least 2007. This group is thought beneath completely different names within the safety business: APT41, Axiom, Barium, Depraved Panda and typically Winnti, after a Trojan program that has lengthy been within the group’s arsenal.
APT41 has focused a big number of organizations throughout its 15-year historical past. A few of the concentrating on appeared to match China’s geopolitical pursuits, whereas others appeared extra like cybercrime assaults meant to steal cash. This has prompted hypothesis that both APT41 is an exterior contractor that the Chinese language companies depend on for some operations, or that a number of smaller teams beneath the identical umbrella are tasked with completely different targets.
A few of these assumptions had been partly validated in September 2020, when the U.S. Division of Justice unsealed indictments in opposition to three Chinese language and two Malaysian nationals in reference to APT41 assaults. Three of them had been concerned within the administration of an organization referred to as Chengdu 404 Community Know-how that was allegedly serving as a entrance firm for the group’s actions.
One other Chinese language hacker named Tan Dailin, who was indicted in 2019 and is on the FBI’s wished listing, can also be believed to have labored with APT41, concentrating on high-tech and on-line gaming firms in assaults that had been attributed to a cluster of APT41 exercise tracked as Barium by safety firms. These embrace the software program provide chain assaults in opposition to NetSarang, CCleaner and ASUS LiveUpdate. Dailin, recognized on-line as Withered Rose, was named in previous reviews as a malware developer who collaborated with one other hacker often called whg, who’s believed one of many authors behind the PlugX Trojan.
PlugX dates again to 2008 and over time has been one of many distant entry trojans (RATs) mostly utilized by Chinese language hacker teams, together with by APT41. In keeping with Secureworks and different malware researchers, there’s some code overlap between ShadowPad and PlugX, suggesting a doable collaboration between their creators.
What’s ShadowPad?
Like PlugX, ShadowPad is a RAT that is used to keep up persistent entry to compromised computer systems and permits hackers to execute shell instructions and extra payloads. The Secureworks researchers have noticed assaults the place the ShadowPad course of on an contaminated system was used to spawn a number of cmd.exe little one processes, suggesting that hackers had been manually interacting with the system.
ShadowPad is deployed via a way often called DLL sideloading, the place attackers ship their malicious code as a DLL that has the identical identify as one of many libraries {that a} official software searches for to load. That is doable with functions that do not carry out extra checks on the DLL file, like digital signature, to make sure it hasn’t been tampered.
The Secureworks researchers have seen ShadowPad being sideloaded by leveraging the official executables AppLaunch.exe (Microsoft), hpqhvind.exe (Hewlett Packard), consent.exe (Microsoft), TosBtKbd.exe (Toshiba), BDReinit.exe (BitDefender) and Oleview.exe (Microsoft). Utilizing this method permits attackers to doubtlessly evade detection as a result of their malware is loaded into the reminiscence of a course of spawned by a official software.
In some assaults, the rogue DLL planted by the attackers included the encrypted malicious ShadowPad payload that was then decrypted and executed in reminiscence. In different assaults the payload was delivered a separate encrypted file that the DLL loaded as a part of its routine. This retains the rogue DLL slimmer and with out encrypted code inside that might doubtlessly set off detection guidelines.
A typical ShadowPad deployment will create a brand new listing beneath C:ProgramData, C:Customers<username>Roaming or C:Program Information that can comprise the official executable being abused, the light-weight DLL loader and the encrypted ShadowPad payload file. After first execution, the payload file is deleted and its contents are moved to the system registry. A Home windows service is then created to execute the entire ShadowPad an infection chain on system restart.
The completely different APTs utilizing ShadowPad
Whereas ShadowPad appeared to be completely utilized by Bronze Atlas early on, in 2019 it began showing in assault campaigns in opposition to transportation, pure useful resource, vitality and non-governmental organizations that Secureworks attributes to a special group referred to as Bronze College. The corporate suspects each Atlas and College have hyperlinks to China’s MSS primarily based on the sufferer typology and the kind of info focused. Bronze College’s campaigns overlap with the exercise described by Pattern Micro in a report masking a gaggle the corporate dubbed Earth Lusca.
Assault campaigns utilizing ShadowPad noticed in 2021 focused organizations in South Korea, Russia, Japan, and Mongolia. These had been attributed by Secureworks to 2 teams dubbed Bronze Huntley (a.ok.a. Karma Panda and Workforce Tonto) and Bronze Butler (a.ok.a. Tick) that the corporate believes are related to China’s PLA, particularly its Northern Theater Command.
Since 2015, the PLA has been reformed and its seven army areas have been changed with 5 theater instructions — Jap, Southern, Northern, Western and Central — every chargeable for dealing with particular threats of their specific areas and borders. In keeping with Secureworks, this modernization included the institution of the PLA Strategic Help Pressure (PLASSF or SSF), which focuses on modernizing the PLA’s capabilities within the areas of house, our on-line world and the electromagnetic area. The alerts intelligence (SIGINT) capabilities beforehand related to the Third Division of the PLA’s Common Employees (3PLA), which has been named as chargeable for a few of China’s cyberespionage actions up to now, have now probably been introduced beneath PLASSF and assist the completely different theater instructions.
Secureworks noticed clusters of ShadowPad exercise that shared DLL variants and infrastructure in campaigns in opposition to targets in India and Afghanistan.
“Third-party researchers linked a few of these campaigns to a person engaged on behalf of the Western Theater Command,” the Secureworks CTU researchers stated. “CTU evaluation didn’t reveal ample proof to corroborate these claims, however the places and victimology are in step with risk actors working on behalf of the Western Theater Command.”
Lastly, a separate ShadowPad model was noticed concentrating on organizations within the South China Sea. There may be overlap between the command-and-control infrastructure used on this marketing campaign and that utilized by the Nebulae malware household that is attributed to a Chinese language APT group that Secureworks tracks as Bronze Geneva however is also called APT30. This group is believed to match the concentrating on pursuits of the PLA’s Southern Theater Command.
The Secureworks report consists of indicators of compromise related to all of the ShadowPad variations, infrastructure and campaigns the corporate has tracked. Organizations can use them to construct detection guidelines for their very own environments.
Copyright © 2022 IDG Communications, Inc.
