Threat Analysis

ShadowPad Malware Analysis

Summary

The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals. Secureworks® Counter Threat Unit™ (CTU) analysis of ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People's Liberation Army (PLA).

Some clusters that target China's 'near abroad' appear to be linked to PLA theater commands. These theater commands were introduced in the PLA reforms announced in 2015. Evidence of infrastructure and malware crossover among threat groups likely operating within the same theater command suggests that PLA reforms could be facilitating collaboration among these groups.

ShadowPad is decrypted in memory using a custom decryption algorithm. CTU™ researchers have identified multiple ShadowPad versions based on these distinct algorithms. ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality. CTU researchers discovered that ShadowPad payloads are deployed to a host either encrypted within a DLL loader or within a separate file alongside a DLL loader. These DLL loaders decrypt and execute ShadowPad in memory after being sideloaded by a legitimate executable vulnerable to DLL search order hijacking.

ShadowPad DLL loader execution

The majority of ShadowPad samples analyzed by CTU researchers were two-file execution chains: an encrypted ShadowPad payload embedded in a DLL loader. ShadowPad DLL loaders are sideloaded by a legitimate executable vulnerable to DLL search order hijacking. The DLL loader then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm specific to the malware version. Table 1 lists legitimate executable and malicious DLL pairs that CTU researchers observed in analyzed samples.

Legitimate executable Vendor ShadowPad DLL loader filename
AppLaunch.exe Microsoft mscoree.dll
hpqhvind.exe Hewlett Packard hpqhvsei.dll
consent.exe Microsoft secur32.dll
TosBtKbd.exe Toshiba tosbtkbd.dll
BDReinit.exe BitDefender log.dll
Oleview.exe Microsoft iviewers.dll

Table 1. Legitimate executable and DLL loader filenames used to load ShadowPad.

CTU researchers identified ShadowPad execution chains involving a third file that contains the encrypted ShadowPad payload. These chains execute the legitimate executable (usually renamed), sideload the ShadowPad DLL loader, and load and decrypt the third file. CTU researchers observed threat actors using BDReinit.exe or Oleview.exe as initial files in the three-file ShadowPad execution chain. The third file in the BDReinit.exe execution chain is log.dll.dat; in the Oleview.exe execution chain, it is iviewers.dll.dat. CTU researchers have attributed campaigns using these execution chains to the Chinese BRONZE UNIVERSITY threat group, which has targeted transportation, natural resource, energy, and non-governmental organizations. Third-party researchers have also identified three-file ShadowPad execution chains that begin with consent.exe (followed by secur32.dll and secur32.dll.dat) and AppLaunch.exe (followed by mscoree.dll and mscoree.dll.dat). Additionally, CTU analysis revealed a sample that used AppLaunch.exe followed by mscoree.dll and mscoree.dll.mui.

Other ShadowPad samples from 2018 also deviated from the typical two-file execution chain. Those samples, which used the filename TSVIPSrv.DLL, are placed in the Windows System32 directory and are loaded by the Windows SessionEnv Service, which is vulnerable to DLL hijacking. CTU researchers observed BRONZE ATLAS using this technique in 2021 to load other payloads via this filename, including Cobalt Strike.

CTU researchers discovered ShadowPad samples sharing behavioral similarities such as injecting the decrypted ShadowPad payload into a newly launched target process and establishing persistence on a compromised host specified in the configuration settings. Figure 1 lists configuration information for a ShadowPad sample that reveals command and control (C2) details, the process injection target, and persistence via creation of a service and a registry Run key.

ShadowPad sample configuration information.
Figure 1. ShadowPad sample configuration information. (Source: Secureworks)

As part of the execution chain, ShadowPad copies the legitimate binary and sideloaded DLL to a subdirectory specific to each sample. Most analyzed samples were copied to a subdirectory under C:\ProgramData, C:\Users\<username>\Roaming, or C:\Program Files. In three-file execution chains, the third file (e.g., log.dll.dat, iviewers.dll.dat) is typically deleted and the ShadowPad DLL loader is padded to over 50MB, likely to evade antivirus software. As part of this process, an encrypted payload is usually saved to a registry key under HKLM\SOFTWARE\Classes\CLSID\{GUID}\<eight-character hexadecimal string> (see Figure 2).

Sample ShadowPad encrypted payload location.
Figure 2. Sample ShadowPad encrypted payload location. (Source: Secureworks)

After the initial setup the legitimate executable is launched as a Windows service. This service initiates the ShadowPad execution chain. The ShadowPad payload is injected into a child process of the service process that is specified in the ShadowPad configuration information. Figure 3 shows the timeline of a ShadowPad execution chain (i.e., log.exe -> log.dll -> log.dll.dat), followed by the service creation and execution of the copied files (log.exe renamed to reg.exe), and the payload injection.

Observed timeline of ShadowPad execution, service creation, and payload injection on a compromised network.
Figure 3. Observed timeline of ShadowPad execution, service creation, and payload injection on a compromised network. (Source: Secureworks)

CTU researchers observed threat actors interacting with ShadowPad malware on compromised hosts. In one incident, multiple cmd.exe child processes were launched via hands-on-keyboard activity (see Figure 4).

Threat actor interaction with ShadowPad malware.
Figure 4. Threat actor interaction with ShadowPad malware. (Source: Secureworks)

Identifying characteristics

The following file structures and behaviors can indicate a ShadowPad compromise:

  • A subdirectory within C:\ProgramData, C:\Users\<username>\Roaming, or C:\Program Files that contains a legitimate executable (likely renamed) and one of the known ShadowPad DLL loader filenames from Table 1 (see Figure 5)

    Example legitimate executable and ShadowPad DLL loader in C:\ProgramData subdirectory.
    Figure 5. Example legitimate executable and ShadowPad DLL loader in C:\ProgramData subdirectory. (Source: Secureworks)

  • A Windows service that launches the legitimate executable from that subdirectory (see Figure 6)

    Example of installed Windows service for ShadowPad persistence.
    Figure 6. Example of installed Windows service for ShadowPad persistence. (Source: Secureworks)

  • Process telemetry showing the Windows service creating an unusual child process (e.g., svchost.exe), which in turn creates multiple dllhost.exe and cmd.exe child processes

The BRONZE ATLAS/Chengdu 404 nexus

ShadowPad gained notoriety in 2017 after it was deployed in software supply chain attacks involving CCleaner, NetSarang, and ASUS Live Update utility. These campaigns were attributed to the BRONZE ATLAS threat group.

A 2017 Microsoft complaint and U.S. Department of Justice (DOJ) indictments unsealed in 2020 provide additional information on ShadowPad's connection to BRONZE ATLAS. The Microsoft complaint alleges that BRONZE ATLAS (also known as Barium) deployed ShadowPad in 2017 to steal intellectual property and personally identifiable information (PII). At the time, the malware was used only by BRONZE ATLAS. The DOJ indictments allege that Chinese nationals working for the Chengdu 404 network security company deployed ShadowPad in a global campaign attributed to BRONZE ATLAS.

A related DOJ indictment revealed that these Chinese nationals collaborated with another Chinese national known by the handle 'Rose' (sometimes known as Withered Rose and Wicked Rose), using similar tactics, techniques, and procedures (TTPs) and sharing malware. The indictment describes this individual as a sophisticated threat actor who committed computer intrusion offenses targeting high-technology organizations globally. Campaigns linked to Rose were tracked as Barium.

A third-party report claimed that Rose likely co-developed malware with an associate named 'whg,' who has been linked to the development of the PlugX malware. PlugX is used by multiple Chinese threat groups. Third-party researchers also identified string and code overlap between PlugX and ShadowPad. This overlap suggests close links between the ShadowPad and PlugX developers. ShadowPad may have been developed by an individual or group affiliated with BRONZE ATLAS. One possibility is that Chengdu 404 originally developed ShadowPad, as the individuals named in the DOJ indictments were allegedly involved with developing malware used in their campaigns.

It is likely that only BRONZE ATLAS used ShadowPad until approximately 2019. Most of the ShadowPad DLL loader samples can be clustered based on compile timestamps, C2 infrastructure, payload versions, DLL loader code overlap, and likely victimology. CTU researchers identified multiple ShadowPad clusters used in campaigns since 2019 and attributed these clusters to distinct threat groups. These groups include BRONZE ATLAS and BRONZE UNIVERSITY, whose targeting suggests affiliation with the MSS. A third-party report suggests that BRONZE UNIVERSITY (referred to in the report as Earth Lusca) may be operating near to Chengdu in China after operational security mistakes revealed China-based infrastructure. Other ShadowPad clusters appear to reflect targeting aligned with PLA theater command areas of responsibility.

PLA reforms

In late 2015, PRC leader Xi Jinping announced widespread reforms to the PLA that included the establishment of the Strategic Support Force (PLASSF or SSF). This new branch focuses on modernizing the PLA's capabilities in strategic frontiers of space, cyberspace, and the electromagnetic domain. The impact on the PLA's cyberespionage mission has been extensive. Many organizations responsible for cyberespionage and signals intelligence (SIGINT) associated with the Third Department of the PLA's General Staff Department (commonly known as 3PLA) have been absorbed into the SSF Network Systems Department (NSD). The SSF NSD is also believed to be responsible for a broad range of information warfare capabilities beyond cyberespionage, coordinating electronic countermeasures as well as offensive and defensive cyber projects. Figure 7 shows the likely SSF organizational structure.

PLA SSF likely organizational structure.
Figure 7. PLA SSF likely organizational structure. (Source: Institute for National Strategic Studies)

As part of the modernization, the PLA replaced its seven military regions with five theater commands: Eastern, Southern, Western, Northern, and Central (see Figure 8). These theater commands orchestrate ground, naval, air, and conventional missile forces for military operations in their geographic area of responsibility. While the exact area of responsibility for each theater command is ambiguous, they are broadly responsible for specific threats within their respective regions:

  • Eastern Theater Command: Taiwan strait and East China sea
  • Southern Theater Command: South China sea
  • Northern Theater Command: Russia and the Korean peninsula
  • Western Theater Command: Central Asia and the Sino-Indian border
  • Central Theater Command: defends the capital and possibly provides support to other theater commands

PLA theater command structure.
Figure 8. PLA theater command structure. (Source: The Jamestown Foundation)

Prior to the PLA reforms, each military region maintained at least one Technical Reconnaissance Bureau (TRB) to handle SIGINT and cyberespionage activities focused on the military region's area of responsibility. The TRBs were distinct from the former 3PLA units that were located across China, but they may have been tasked by the 3PLA.

The relationship between the TRBs and the theater commands is unclear. The TRBs may have been consolidated under the SSF NSD alongside former 3PLA units. It is also possible that they continue to target countries in their area of responsibility but under the command and control of the SSF NSD.

Connections to PLA-linked threat groups

CTU researchers grouped distinct ShadowPad activity clusters by targeted geographic regions. Clusters align with the documented area of responsibility for three of the theater commands: Northern, Southern, and Western. CTU researchers attribute some of the ShadowPad activity to Chinese threat groups that have been publicly linked to specific PLA units located in the corresponding theater commands:

  • Northern Theater Command: CTU researchers linked ShadowPad activity to BRONZE HUNTLEY and BRONZE BUTLER, which are reportedly located in the Northern Theater Command. These threat groups deployed ShadowPad against targets in South Korea, Russia, Japan, and Mongolia. These regions align with the Northern Theater Command's focus. In 2021, CTU researchers observed malware and infrastructure overlap between the two threat groups, suggesting close collaboration.
  • Western Theater Command: Some ShadowPad activity primarily targeted countries neighboring China's western border, such as India and Afghanistan. CTU researchers clustered this activity based on attacker-controlled infrastructure, ShadowPad DLL loader variants such as ICEKILLER, and contextual information from third-party sources. Third-party researchers linked some of these campaigns to an individual working on behalf of the Western Theater Command. CTU analysis did not reveal sufficient evidence to corroborate these claims, but the locations and victimology are consistent with threat actors operating on behalf of the Western Theater Command.
  • Southern Theater Command: CTU researchers identified activity that used a specific ShadowPad version to target organizations in the South China Sea region. BRONZE GENEVA is likely responsible for part of this activity based on overlap between the C2 infrastructure for the Nebulae malware family associated with BRONZE GENEVA and a ShadowPad sample analyzed by CTU researchers.

This attribution of ShadowPad campaigns to theater commands is based on the submitter's location for ShadowPad malware samples uploaded to the VirusTotal analysis service (potentially indicating the victim's country), the C2 domain names that appear to reference specific regions (e.g., cloudvn. info suggests Vietnam targeting), contextual information regarding the activity and victimology, and the absence of evidence that ShadowPad samples with the same attributes were deployed in other regions.

Conclusion

Evidence available as of this publication suggests that ShadowPad has been deployed by MSS-affiliated threat groups, as well as PLA-affiliated threat groups that operate on behalf of the regional theater commands. The malware was likely developed by threat actors affiliated with BRONZE ATLAS and then shared with MSS and PLA threat groups around 2019. Given the range of groups leveraging ShadowPad, all organizations that are likely targets for Chinese threat groups should monitor for TTPs associated with this malware. Organizations with operations in or connections to geographic regions covered by the regional theater commands should specifically monitor for known TTPs associated with threat groups likely affiliated with the relevant theater command.

Threat indicators

The threat indicators in Table 2 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The IP addresses and domains may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
billing.epac.to Domain ShadowPad C2 server
9d686ceed21877821ab6170a348cc073 MD5 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
3ebeb4e08c82b220365b1e7dd0cc199b7
65eed91
SHA1 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
9c28c1b2ff0a84c8b667f128626f28b17
3feb07481192e214b5a29b98964a7f9
SHA256 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
172.197.18.30 IP address ShadowPad C2 server
172.200.21.190 IP address ShadowPad C2 server
27d889c351ac2f48d31b91d06061ec8d MD5 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
f5b7ea5e705655a1bc08030b601443088a5af4dd SHA1 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
d48e671df571b76ee94c734bdd5272e12
fcd1362f1d75138ff547bc2bc0c31ef
SHA256 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
vsmrcil.casacam.net Domain ShadowPad C2 server
17e812958704f4ced297731ce47de020 MD5 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
57b5ca13d7b2dd9287bdda548ccf7b21c
1201464
SHA1 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
0942f4a488899d5d78b31a0065e49c868
9ccda88efc28186e29ee76861ba99da
SHA256 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
exat.dnset.com Domain ShadowPad C2 server
fac0b4fe5372d76607c36ccb51e6b7bb MD5 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
952614358b37d2a519d66ee7759c70e31
218ed36
SHA1 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
4557e923602730aab7718b61eeaf3a93e
dd0339a3c89c8f7061b9818c2df5203
SHA256 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
dprouds.casacam.net Domain ShadowPad C2 server
17268032c7562fa9473bb85018cb1c2c MD5 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
3d1ae0779b304a8d54df1429331584174
40ca3ff
SHA1 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
bf3de88459f85ddd85245e3f1ce3bba65
68919bbe46a808ad5d94d5415014926
SHA256 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
secupdate.kozow.com Domain ShadowPad C2 server
41ff21ea773b73812d91f91b68280ed3 MD5 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
8d0be3bca6c93b1ab396ec4a93a33371c
82b6567
SHA1 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
2e07d66155987216dc8cc095b48dd9714
15f0da261b5b26c58a0e3d34f446038
SHA256 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
goest.mrbonus.com Domain ShadowPad C2 server
1480d2856e4d57d0c8394ade835493db MD5 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
3dfa0fc7da98d0efbd6dbc4b47e01f669
e54ea07
SHA1 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
69eb1aa0021c9b6905b8f0a354884a67f
18d20aa045db20b5b5d59f41c7f201f
SHA256 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
phiinoc.dnsdyn.net Domain ShadowPad C2 server
40e7f1a18735819d6cf5f5cff0fb72f4 MD5 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
0b75c1507d6849b303fb496ab8afa60c6
c3e8624
SHA1 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
bc0c31be0d4784a6f8ad6333767580e61
e7bbe500139fe0d111c39475470a312
SHA256 hash ShadowPad DLL loader ICEKILLER variant (mscoree.dll)
stratorpriv.lubni23.com Domain name BRONZE HUNTLEY ShadowPad C2 server
59961f8c3d8d6cfb7a378f58ff5c5f30 MD5 hash BRONZE HUNTLEY ShadowPad DLL loader (secur32.dll)
56ff0a3f5d8f67468f1771d38cc6d017a
0cd6462
SHA1 hash BRONZE HUNTLEY ShadowPad DLL loader (secur32.dll)
0dfd91a0dd5d1143697413ebd50efde24
11d07b4113d7d282ca0ec3c9d77d5ed
SHA256 hash BRONZE HUNTLEY ShadowPad DLL loader (secur32.dll)
rolesnews.com Domain name BRONZE HUNTLEY ShadowPad C2 server
dfd3b637fc35e850138b33758934f3f7 MD5 hash BRONZE HUNTLEY ShadowPad DLL loader (secur32.dll)
0d0c5e63a9daf3c322667310e1c06c8b8
96f7b4c
SHA1 hash BRONZE HUNTLEY ShadowPad DLL loader (secur32.dll)
ec6852c341aff9d770debc1ef72fb5795
c4d71c1327d57d79d65136cc2a670a4
SHA256 hash BRONZE HUNTLEY ShadowPad DLL loader (secur32.dll)
www.cloudvn.info Domain name ShadowPad C2 server linked to targeting of Vietnamese organizations
0ddd78208c16e9f8174868bdf92eac9b MD5 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
fa639e82ae481a70dffff2c50745ada66
0c93aa8
SHA1 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
244e22147cc1e37543159a95cf4674a61
f290af305c1c1e37b69c45b444f9097
SHA256 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
103.255.179.186 IP address ShadowPad C2 server linked to targeting of Vietnamese organizations
f977be4ebb0d06c9a19b37d8bbb37178 MD5 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
92c091453295536aef0bac93aa24a2946
24266da
SHA1 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
2e6ef72d05b395224a03a73a50eaee1c9
dc682976c99dde5317b76938cb669a4
SHA256 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
154.202.198.246 IP address ShadowPad C2 server
b40dec21d0c3061bef422bb946366cba MD5 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
78f59be833fe8a504a0def218d72aef62
823bdaf
SHA1 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
73bb7e7d0743d40a1d967497a5fbb79c0
7132eb15a546fa25bbecaf43993a1d2
SHA256 hash ShadowPad DLL loader linked to targeting of Vietnamese organizations (hpqhvsei.dll)
3520e591065d3174999cc254e6f3dbf5 MD5 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
47cdaf6c5c3fffeeff1f2c9e6c7649f99
ab54932
SHA1 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
dbb32cb933b6bb25e499185d6db71386a
4b5709500d2da92d377171b7ff43294
SHA256 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
bda94af893973fe675c35e5699d90521 MD5 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
41b78af0a34f2d1da8d52d895ee50da26
f2a5ab4
SHA1 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
18c4a15e587b223a3fb4d27eedeb16b81
e5c75409d9ffbbe8aeeb7c4c2bd5041
SHA256 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
47.56.228.89 IP address BRONZE UNIVERSITY ShadowPad C2 server
c3292a51c1b92d7dd08518095bb851f8 MD5 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
ea60a4100d7a893079c29a6027d604759
f62c63b
SHA1 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
d8f695730fcf2cb5a894107740be0a0fa
9bbae6851b83d396976a678236dec30
SHA256 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
b1a9afc937a6e7e0d09e5ccd8b2198f5 MD5 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
5f751bab830f5470fcbac04b1c165bc0b
6e6ecff
SHA1 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
1402ed922a7efc05a6d9482136598fdb5
2afd95cb4e40190ea44a3ba087a58ab
SHA256 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
3e372906248b215ea0ee853cb4e29dd8 MD5 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
c62b977c93979effb48a1614956c2a788
abb22fe
SHA1 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
8d1a5381492fe175c3c8263b6b81fd99a
ace9e2506881903d502336a55352fef
SHA256 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
ffbadead054d1eac270f1a24d02e8a1f MD5 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
c73329dfbe99de4abb93b4fda6310a0c5
eedd8f9
SHA1 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
0371fc2a7cc73665971335fc23f38df2c
82558961ad9fc2e984648c9415d8c4e
SHA256 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
ti0wddsnv.wikimedia.vip Domain name BRONZE UNIVERSITY ShadowPad C2 server
06539163f71f8bd496db75ccb41db820 MD5 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
880fa69a6efd8de68771d3df2f9683107
fb484c0
SHA1 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
a8e5a1b15d42c4da97e23f5eb4a0adfd2
9674844ce906a86fa3554fc7e58d553
SHA256 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
373eacf3ffd1b5722f9d3c1595092b4c MD5 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
363e32fafd2732b3cfb53dfd39bef56da
1affd7f
SHA1 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
8065da4300e12e95b45e64ff8493d9401
db1ea61be85e74f74a73b366283f27e
SHA256 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
207.148.98.61 IP address BRONZE UNIVERSITY ShadowPad C2 server
ea6be331b5fa349a2fa464b062043b0e MD5 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
9605ad1bf0432ffb148d422099e23eaa2
6bed4c8
SHA1 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
04089c1f71d62d50cbd8009dfd557aa1e
6db1492a9fa2b35902182c07a0ed1c1
SHA256 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
yjij4bpade.nslookup.club Domain name BRONZE UNIVERSITY ShadowPad C2 server
5fe99a8f8cbfe46832478aa9c9634ed6 MD5 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
b224ae9ffd8119d773dedb1863d46725c
29143f8
SHA1 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
c602456fae02510ff182b45d4ffb69ee6
aae11667460001241685807db2e29c3
SHA256 hash BRONZE UNIVERSITY ShadowPad payload (log.dll.dat)
6czumi0fbg.symantecupd.com Domain name BRONZE UNIVERSITY ShadowPad C2 server
Live.musicweb.xyz Domain name BRONZE UNIVERSITY ShadowPad C2 server
Obo.videocenter.org Domain name BRONZE UNIVERSITY ShadowPad C2 server
5.188.33.106 IP address BRONZE UNIVERSITY ShadowPad C2 server
299980c914250bac7522de849f6df24f MD5 hash BRONZE UNIVERSITY ShadowPad DLL loader (iviewers.dll)
9a035477c1ef725309ae4afac50ffc18d
8194a90
SHA1 hash BRONZE UNIVERSITY ShadowPad DLL loader (iviewers.dll)
9981b9d2024665b7312b673926be96df3
4be2dc9779956ff49690968e0265d2d
SHA256 hash BRONZE UNIVERSITY ShadowPad DLL loader (iviewers.dll)
6538263d35b9bb438a9648e904ed7394 MD5 hash BRONZE UNIVERSITY ShadowPad encrypted payload (iviewers.dll.dat)
680bcd1b172a3658954931131f8248bf6
6dbc5b1
SHA1 hash BRONZE UNIVERSITY ShadowPad encrypted payload (iviewers.dll.dat)
253f474aa0147fdcf88beaae40f3a23bd
adfc98b8dd36ae2d81c387ced2db4f1
SHA256 hash BRONZE UNIVERSITY ShadowPad encrypted payload (iviewers.dll.dat)
139.180.141.16 IP address BRONZE UNIVERSITY ShadowPad C2 server
Teamview.Microsoft.msglocalmicro.com Domain name BRONZE UNIVERSITY ShadowPad C2 server
Ts.ekaldhfl.club Domain name BRONZE UNIVERSITY ShadowPad C2 server
246d233f4fcda6f4c1ec1177dbad31b4 MD5 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
e76049ee244e74729a20f666328d5eeff
8d6488f
SHA1 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)
136848cfbd59af5dcba0fcfb3257bb714
184129f94d1a67def618f39dde7c17d
SHA256 hash BRONZE UNIVERSITY ShadowPad DLL loader (log.dll)

Table 2. Indicators for this threat.

References

Threat Intelligence Team. “New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities.” Avast. March 8, 2018. https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

Dr Web. “Study of the ShadowPad APT backdoor and its relation to PlugX.” October 26, 2020. https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

Fraser, Nalani and Vanderlee, Kelli. “Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Mission Levels.” FireEye. October 10, 2019. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

Headquarters, Department of the Army (U.S.). “Chinese Tactics.” August 9, 2021. https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN33195-ATP_7-100.3-000-WEB-1.pdf

Hsieh, Yi-Jhen and Chen, Joey. “ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage.” Sentinel Labs. August 19, 2020. https://assets.sentinelone.com/c/Shadowpad?x=P42eqA

Insikt Group. “Threat Activity Group RedFoxtrot Linked to China's PLA Unit 69010; Targets Bordering Asian Countries.” Recorded Future. June 16, 2021. https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/

Kaspersky. “ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World.” August 15, 2017. https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world

Ni, Adam and Gill, Bates. “The People's Liberation Army Strategic Support Force: Update 2019.” The Jamestown Foundation. May 29, 2019. https://jamestown.org/program/the-peoples-liberation-army-strategic-support-force-update-2019

Prescott, Adam. “Chasing Shadows: A deep dive into the latest obfuscation method being used by ShadowPad.” PwC. December 8, 2021. https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html

Recorded Future. “Threat Activity Group RedFoxtrot Linked to China's PLA Unit 69010; Targets Bordering Asian Countries.” June 16, 2021. https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf

Stokes, Mark A.; Lin Jenny; and Hsiao, L.C. Russell. “The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure.” Project 2049 Institute. November 11, 2011. https://project2049.net/wp-content/uploads/2018/05/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf

United States Department of Justice. “Seven International Cyber Defendants, Including 'Apt41' Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally.” September 16, 2020. https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer

United States District Court for the District of Columbia. “United States of America v. Zhang Haoran, Tan Dailin, Defendants.” May 7, 2019. https://www.justice.gov/opa/press-release/file/1317216/download

United States District Court for the Eastern District of Virginia. “Civil Action No: 1:17-cv-01224.” October 26, 2017. https://www.noticeofpleadings.net/barium/files/COMPLAINT_AND_SUMMONS/Complaint.pdf

Wuthnow, Joel and Saunders, Phillip C. “Chinese Military Reforms in the Age of Xi Jinping: Drivers, Challenges, and Implications.” Institute for National Strategic Studies. March 2017. https://ndupress.ndu.edu/Portals/68/Documents/stratperspective/china/ChinaPerspectives-10.pdf

Zetter, Kim. “Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers.” Vice. March 25, 2019. https://www.vice.com/en/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

Back to more Threat Analyses and Advisories

Additional Resources

TRY TAEGIS TODAY!

See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.