Researchers have linked the ShadowPad backdoor malware with the Chinese Ministry of State Security (MSS) and the People's Liberation Army (PLA). Further, they have disclosed the inner workings of ShadowPad in a detailed report.
What’s ShadowPad?
- It is an advanced RAT decrypted in memory using a custom decryption algorithm.
- ShadowPad can steal sensitive system information, interact with the file system and registry, and deploy new modules to propagate.
- Its payloads are deployed to a host either within a separate file alongside a DLL loader or encrypted within a DLL loader.
Researchers have finally been able to link this malware to China.
The Chinese MSS connection
- The campaigns spreading the malware were linked to the Bronze Atlas threat group.
- Earlier DOJ indictments have established connections between Bronze Atlas and Chengdu 404 security firm, which had allegedly Chinese officials working with them.
- A report has also observed string and code overlap between ShadowPad and PlugX, a widely distributed malware by Chinese actors.
The Chinese PLA connection
Evidence suggests that ShadowPad was deployed on behalf of the multiple regional theater commands in China.
- Out of five Theater regional commands in China, the researchers grouped different ShadowPad activity clusters with three of the commands: Southern, Western, and Northern.
- Northern Theater Command deployed ShadowPad against targets in South Korea, Russia, Japan, and Mongolia.
- Western Theater Command targeted countries neighboring China's western border, such as India and Afghanistan.
- Southern Theater command targeted organizations in the South China Sea region.
Conclusion
Nation-state threat groups pose a great challenge and they have enough resources to target any desired entity. Moreover, the use of the same backdoor across multiple threat groups shows a collaboration between them. Thus, to stay protected, organizations should monitor for TTPs associated with the ShadowPad backdoor.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_127691294.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_509910508.jpg)
