Secureworks researchers reported that ,”ShadowPad is decrypted in memory using a custom decryption algorithm, ShadowPad collects host information, executes commands, interacts with the file system and registry and deploys new modules to extend functionality. It is a modular malware platform that shares noticeable similarities with the PlugX malware and has been used in high-profile attacks against NetSarang, CCleaner, and ASUS, forcing operators to change tactics and update their defensive measures.”
ShadowPad, an advanced and modular backdoor that has been adopted by a growing number of Chinese threat groups in recent years, has been detailed by cybersecurity researchers, who have also linked it to the country’s civilian and military intelligence agencies.
ShadowPad was dubbed by cybersecurity firm SentinelOne in an August 2021 detailed analysis of the malware. PwC’s subsequent investigation in December 2021 revealed a bespoke packing mechanism called ScatterBee, which is used to obfuscate malicious 32-bit and 64-bit payloads for ShadowPad binaries.
Traditionally, malware payloads are deployed to a host either encrypted within a DLL loader or embedded inside a separate file alongside a DLL loader, which then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm tailored to the malware version.
These DLL loaders run malware after being sideloaded by a legitimate executable that is vulnerable to DLL search order hijacking, a technique that allows malware to run by hijacking the method used to look for required DLLs to load into a programme.
Alternatively, the threat actor may have placed the DLL file in the Windows System32 directory, where it will be loaded by the Remote Desktop Configuration (SessionEnv) Service, resulting in the deployment of Cobalt Strike on compromised systems.
The intrusions in one ShadowPad incident paved the way for launching hands-on-keyboard attacks, which are attacks in which human hackers manually log into an infected system to execute commands rather than using automated scripts. Secureworks linked specific ShadowPad activity clusters to Chinese nation-state groups aligned with the People’s Liberation Army Strategic Support Force, such as Bronze Geneva (aka Hellsing), Bronze Butler (aka Tick), and Bronze Huntley (aka Tonto Team) (PLASSF).
Finally the researchers concluded that ,” ShadowPad has been deployed by MSS-affiliated threat groups, as well as PLA-affiliated threat groups operating on behalf of regional theatre commands, The malware was most likely created by threat actors associated with Bronze Atlas and then distributed to MSS and PLA threat groups in 2019.”