Since 2017, five separate Chinese threat groups have used ShadowPad, an infamous Windows backdoor that allows attackers to download additional harmful modules or steal data. In a detailed overview of the malware, SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said that “adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors,” adding that “some threat groups stopped developing their own backdoors after they gained access to ShadowPad.”
ShadowPad was released in 2015 as a replacement for PlugX. However, it wasn’t until several well-known supply-chain incidents – CCleaner, NetSarang, and ShadowHammer – that it began to gain considerable public attention. Unlike the publicly available PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a “masterpiece of privately sold malware in Chinese espionage” by an American cybersecurity firm.
ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin’s chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered.
Additional plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn’t present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.
“While ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development,” the researchers said.
ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41.
“The threat actor behind Fishmonger is now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike,” the researchers said. “The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S.”
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.