ShadowPad, a sophisticated and modular backdoor used by various Chinese threat groups in recent years, has been revealed by cybersecurity experts. They have also linked it to the country’s civilian and military intelligence services. This flexible malware platform has overlapping features with the PlugX malware. It has also been used in high-profile cyberattacks on CCleaner, NetSarang, and ASUS, forcing operators to change strategies and upgrade their defensive measures.
While the first operations that supplied ShadowPad were linked to a threat cluster known as Bronze Atlas aka Barium – Chinese nationals working for Chengdu 404, a networking security firm – it has subsequently been employed by other Chinese threat gangs after 2019. SentinelOne, a cybersecurity firm, called ShadowPad a “masterpiece of privately sold malware in Chinese espionage” in a comprehensive analysis of the malware in August 2021. PwC later discovered a unique packing method called ScatterBee that’s employed to disguise malicious 32-bit and 64-bit payloads for ShadowPad binaries in December 2021 research.
Traditional malware payloads are encrypted within a DLL loader or embedded within a separate file with a DLL loader, which subsequently decrypts and runs the embedded ShadowPad payload in memory using a specific decryption technique suited to the malware version. After being sideloaded by a genuine executable vulnerable to DLL search order hijacking, which is a technique that allows the malware to be executed by hijacking the mechanism used to hunt for needed DLLs to load into a program, these DLL loaders run the malware.
Secureworks found that some infection chains include a third file containing the encrypted ShadowPad payload, which works by launching a genuine binary (e.g., BDReinit.exe or Oleview.exe) to sideload the DLL, which then loads and decrypts the third file. Alternatively, the threat actor has put the DLL file in the Windows System32 directory, causing the Remote Desktop Configuration (SessionEnv) Service to load it, resulting in Cobalt Strike being installed on infected PCs.
In one ShadowPad event, the breaches opened the way for human hackers to manually enter into an infected system and execute instructions rather than employing automated scripts. Secureworks also linked specific ShadowPad activity clusters to Chinese nation-state units aligned with the People’s Liberation Army Strategic Support Force (PLASSF), such as Bronze Geneva (aka Hellsing), Bronze Butler (aka Tick), and Bronze Huntley (aka Tonto Team).