ShadowPad Malware is First Choice For Chinese Espionage Groups

ShadowPad Malware is First Choice For Chinese Espionage Groups

Since it was first introduced in 2017, ShadowPad has been increasingly used by various Chinese threat actors. ShadowPad is a Windows backdoor that allows hackers to deploy further malicious modules on the compromised machine and steal data. The reason for its wide adoption is that it is well-designed and functional while providing a quick start for hackers:

“The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors,” SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said in a detailed overview of the malware, adding “some threat groups stopped developing their own backdoors after they gained access to ShadowPad.”

ShadowPad is a modular malware platform that emerged following the number of high-profile supply-chain incidents targeting NetSarang, CCleaner, and ASUS. Threat actors had to up their ShadowPad became their choice malware due to its advanced anti-detection techniques and persistence capabilities.

The most recent attacks with the use of ShadowPad were targeted at private organizations in Hong Kong and critical infrastructure in the US, Pakistan, India, and several other Central Asian countries.

ShadowPad has been mostly linked to APT41, but it also was used by Chinese espionage actors such as Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger.

“[The threat actor behind Fishmonger is] now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike,” the researchers said. “The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S.”

The Trojan uses a method to load and extract a Root plugin in memory, which allows it to perform other tasks like loading other embedded modules and deploying additional plugins from a remote command-and-control (C2) server. Researchers have seen 22 unique plugins used by the malware.

For backdoor communications, updating the C2 infrastructure and plugins attackers use a Delphi-based controller.

The plugins/modules that are available to ShadowPad users are sold by its operators separately and not bundled together. The total number of additional modules is over 100.

“The emergence of ShadowPad, a privately sold, well-developed and functional backdoor, offers threat actors a good opportunity to move away from self-developed backdoors,” the researchers said. “While it is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.