According to Kaspersky threat researchers, the ShadowPad backdoor was used in a number of cyberattacks against businesses in the telecom, transportation, and industrial sectors. The effort targeted Malaysia’s port as well as the manufacturing and telecommunications sectors in Pakistan, Afghanistan, and Malaysia.
Kaspersky first discovered the ShadowPad backdoor on ICS (Industrial Control System) at a telecommunications business in Pakistan, where the attackers targeted engineering PCs in building automation systems. The investigation turned up extensive network activity as well as other victim groups in Malaysia, Pakistan, and Afghanistan. The attack is distinguished because threat actors seldom target building automation systems and exploit them as a point of entry. The attackers can access more valuable systems from these devices.
“Building automation systems are rare targets for advanced threat actors,” said Kirill Kruglov, security expert at Kaspersky ICS CERT. “However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures.”
The ShadowPad backdoor, the PlugX backdoor, the Cobalt Strike framework, web shells, Mimikatz, credential stealers, and the Nextnet network scanning tool were installed on the target networks between March and October 2021. According to Kaspersky, a single Chinese-speaking threat actor was probably responsible for these attacks due to the distinct collection of tactics, methods, and procedures (TTPs) employed in them. Although the security researchers are unsure, the campaign’s apparent goal is data collection.
At least some cyberattacks used an exploit for a Microsoft Exchange flaw (CVE-2021-26855) to get initial access. Several threat actors rapidly exploited the vulnerability when it was made public in March 2021. The genuine program AppLaunch.exe, which was put in the same location as ShadowPad, launched the ShadowPad backdoor on the affected PCs as mscoree.dll. An automated job was set up by the attackers to launch AppLaunch.exe.
The hacker shifted to a new variant of the virus and a new method of operation in October 2021, based on DLL hijacking. The experts at Kaspersky found a total of 25 distinct alterations. The researchers also discovered instructions that had been run remotely using the command line interface on a few machines in the target businesses. The attackers first carried out the orders manually but then began distributing scripts that included the identical set of commands.
The attackers used these commands to gather user information from infected devices, gather network connection data, check for internet services, copy files from the desktop to the Recycle Bin folder, archive harvested files, mount a network drive, launch Mimikaz, save a registry key containing NTLM hashes to disk, and scan hosts on the network. At least one account at each targeted company had its domain authentication credentials stolen by the threat actor, who subsequently exploited those credentials to migrate laterally across the network. Additionally, Kaspersky found that the attackers used dedicated Choopa servers that were hired out for C&C domain hosting.
“We believe with a high degree of confidence that a Chinese-speaking threat actor is behind the activity described in this report. There are some minor references to HAFNUIM, a Chinese-speaking threat actor, but they are not sufficient to speak of HAFNUM’s involvement […] with a high degree of confidence,” notes Kaspersky.