![]() ![]() Additionally, it dynamically deploys other plugins from a remote command-and-control (C2) server, allowing threat actors to add extra functionality not built into the malware by default. ShadowPad operates by decrypting and loading a Root plugin in memory, which takes care of loading other embedded modules during runtime. The victims include universities, governments, media sector companies, technology companies, and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India, and the US. They are now using it and another backdoor called Spyder25 as their primary backdoors for long-term monitoring26, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT27, and Cobalt Strike. ![]() In 2020, they gained access to a new version of ShadowPad which had updates and more advanced obfuscation techniques. Although primarily attributed to APT41, the malware is known to be preferred by several Chinese espionage actors like Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger.īack in 2019, the actors used a special version of ShadowPad which allowed them to generate samples with a handful of plugins embedded by default24. Its operators managed to shift techniques and update their defensive measures with advanced anti-detection and persistence tactics.Īccording to The Hacker News, attacks involving ShadowPad have troubled organizations in Hong Kong and critical infrastructure in India, Pakistan, and other Central Asian countries. ![]() We observed that some threat groups stopped developing their own backdoors after they gained access to ShadowPad.Īs a successor to PlugX and a modular malware platform since 2015, ShadowPad has drawn attention back in 2017 in the wake of supply-chain incidents targeting NetSarang, CCleaner, and ASUS. The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors. Cybersecurity researchers from Sentinel Labs have recently released a new in-depth study of ShadowPad, a Windows backdoor that enables threat actors to download further malicious modules or exfiltrate sensitive information.Īccording to SentinelOne researchers Yi-Jhen Hsieh and Joey Chen, ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |