1. Home
  2. Software
  3. ShadowPad

ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [1][2][3]

ID: S0596
Associated Software: POISONPLUG.SHADOW
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 23 March 2021
Last Modified: 26 April 2021

Associated Software Descriptions

Name Description
POISONPLUG.SHADOW

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.[3]
.002 Application Layer Protocol: File Transfer Protocols

ShadowPad has used FTP for C2 communications.[3]
.004 Application Layer Protocol: DNS

ShadowPad has used DNS tunneling for C2 communications.[3]
Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

ShadowPad has encoded data as readable Latin characters.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

ShadowPad has decrypted a binary blob to start execution.[3]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

ShadowPad uses a DGA that is based on the day of the month for C2 servers.[2][3][4]
Enterprise T1070 Indicator Removal on Host

ShadowPad has deleted arbitrary Registry values.[3]
Enterprise T1105 Ingress Tool Transfer

ShadowPad has downloaded code from a C2 server.[2]
Enterprise T1112 Modify Registry

ShadowPad maintains a configuration block and virtual file system in the Registry.[3]
Enterprise T1095 Non-Application Layer Protocol

ShadowPad has used UDP for C2 communications.[3]
Enterprise T1027 Obfuscated Files or Information

ShadowPad has encrypted a virtual file system and various files.[2]
Enterprise T1057 Process Discovery

ShadowPad has collected the PID of a malicious process.[3]
Enterprise T1055 Process Injection

ShadowPad has injected an install module into a newly created process.[3]
.001 Dynamic-link Library Injection

ShadowPad has injected a DLL into svchost.exe.[3]
Enterprise T1029 Scheduled Transfer

ShadowPad has sent data back to C2 every 8 hours.[2]
Enterprise T1082 System Information Discovery

ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.[3]
Enterprise T1016 System Network Configuration Discovery

ShadowPad has collected the domain name of the victim system.[3]
Enterprise T1033 System Owner/User Discovery

ShadowPad has collected the username of the victim system.[3]
Enterprise T1124 System Time Discovery

ShadowPad has collected the current date and time of the victim system.[3]

Groups That Use This Software

ID Name References
G0096 APT41

[4][1]
G0081 Tropic Trooper

[1]
G0060 BRONZE BUTLER

[1]
G0131 Tonto Team

[5]

References

  1. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
  2. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
  3. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  1. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  2. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.