Since it was first introduced in 2017, ShadowPad has been increasingly used by various Chinese threat actors. ShadowPad is a Windows backdoor that allows hackers to deploy further malicious modules on the compromised machine and steal data. The reason for its wide adoption is that it is well-designed and functional while providing a quick start for hackers:
“The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors,” SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said in a detailed overview of the malware, adding “some threat groups stopped developing their own backdoors after they gained access to ShadowPad.”
ShadowPad is a modular malware platform that emerged following the number of high-profile supply-chain incidents targeting NetSarang, CCleaner, and ASUS. Threat actors had to up their ShadowPad became their choice malware due to its advanced anti-detection techniques and persistence capabilities.
The most recent attacks with the use of ShadowPad were targeted at private organizations in Hong Kong and critical infrastructure in the US, Pakistan, India, and several other Central Asian countries.
ShadowPad has been mostly linked to APT41, but it also was used by Chinese espionage actors such as Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger.
“[The threat actor behind Fishmonger is] now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike,” the researchers said. “The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S.”
The Trojan uses a method to load and extract a Root plugin in memory, which allows it to perform other tasks like loading other embedded modules and deploying additional plugins from a remote command-and-control (C2) server. Researchers have seen 22 unique plugins used by the malware.
For backdoor communications, updating the C2 infrastructure and plugins attackers use a Delphi-based controller.
The plugins/modules that are available to ShadowPad users are sold by its operators separately and not bundled together. The total number of additional modules is over 100.
“The emergence of ShadowPad, a privately sold, well-developed and functional backdoor, offers threat actors a good opportunity to move away from self-developed backdoors,” the researchers said. “While it is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development.”