ShadowPad Malware Attacks Shows Links with Chinese Ministry and PLA
Reading Time: 2 minutes

ShadowPad Malware Attacks, according to cybersecurity researchers, have links with the Chinese ministry and PLA. This sophisticated and modular backdoor has been adopted by many Chinese threat groups recently and has links with the country’s civilian and military intelligence agencies.

Secureworks researchers said, “ShadowPad is decrypted in memory using a custom decryption algorithm. ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality.”

This modular malware platform shares noticeable overlaps with PlugX malware. Plugx is used in high-profile attacks against NetSarang, CCleaner, and ASUS. The threat actors are not shifting tactics and updating their defensive measures.

The earlier ShadowPad campaigns were attributed to a threat cluster tracked as Bronze Atlas aka Barium. They were Chinese nationals working for a networking security company named Chengdu 404. Since then it has been used by multiple Chinese threat groups post-2019.

SentinelOne, in a detailed overview of the malware in 2021, said ShadowPad is a “masterpiece of privately sold malware in Chinese espionage.” Like PwC in its December 2021 analysis disclosed a bespoke packing mechanism – named ScatterBee – that’s used to obfuscate malicious 32-bit and 64-bit payloads for ShadowPad binaries.

Traditionally the malware payloads are deployed to a host either by encrypting it with a DLL loader or embedding it inside a separate file along with a DLL loader. Later it decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm tailored to the malware version.ShadowPad Malware Attacks

The malware is executed by these DLL loaders after they are sideloaded by a legitimate executable vulnerable to DLL search order hijacking. It is a technique used to execute the malware by hijacking the method used to look for required DLLs to load into a program.

Secureworks also observed select infection chains that include the third file, which contains the encrypted ShadowPad payload. This helps to execute the legitimate binary (e.g., BDReinit.exe or Oleview.exe) to sideload the DLL that, in turn, loads and decrypts the third file.

The threat actors also place the DLL file in the Windows System32 directory. This enabled it to be loaded by the Remote Desktop Configuration (SessionEnv) Service, leading to the deployment of Cobalt Strike on compromised systems.

ShadowPad in a particular incident paved the way for launching hands-on-keyboard attacks. In such types of attacks, hackers manually log into an infected system to execute commands themselves rather than using automated scripts.

Secureworks also attributed the distinct ShadowPad activity clusters such as Bronze Geneva (aka Hellsing), Bronze Butler (aka Tick), and Bronze Huntley (aka Tonto Team), to Chinese nation-state groups that operate in alignment with the People’s Liberation Army Strategic Support Force (PLASSF).

The researchers added, “Evidence […] suggests that ShadowPad has been deployed by MSS-affiliated threat groups, as well as PLA-affiliated threat groups that operate on behalf of the regional theater commands.  The malware was likely developed by threat actors affiliated with Bronze Atlas and then shared with MSS and PLA threat groups around 2019.”

Related Articles:
New MyloBot Malware Variant – Sends Sextortion Emails Demands Bitcoin
Hackers of GiveSendGo Breach Leak Names, Personal Details of Donors to ‘Freedom Convoy’ Protest
UK Local Authority Sets Aside £380k for Cyber-Attack Recovery