VMware's Threat Analysis Unit (TAU) has recently discovered the C2 server infrastructure supported by the ShadowPad malware, a successor to the PlugX malware family.
Recent discovery
- The researchers analyzed three ShadowPad variants, namely Variant1 (aka ScatterBee), Variant2, and Variant3, collected in August 2021 and analyzed now.
- Between September 2021 to September 2022, 83 ShadowPad C2 servers (75 unique IPs) were identified on the internet. Among these, Variant1 was active in 48% of cases, Variant2 in 10% of cases, and Variant3 was observed in 42% of cases.
- Compared with 2021, the number of active C2 servers has been on a declining trend this year, though it was at its peak in June (with 23 servers).
- ShadowPad supports six C2 protocols: TCP, SSL, HTTP, HTTPS, UDP, and DNS of which three protocols TCP, HTTP(S), and UDP are highly utilized in recently identified ShadowPad samples.
The immediate encryption key values used in the encoding algorithms for each of the variants vary. Due to this reason, every time the group makes any change, the discovery of a new variant becomes difficult.
Connections with other malware
Researchers analyzed the three ShadowPad variants to discover the C2 servers by scanning the list of open hosts generated by a tool called ZMap.
- ShadowPad variants have been previously put to use by other groups namely Winnti (aka APT41), Tonto Team, and Space Pirates.
- Two malicious tools Spyder and ReverseWindow have been communicating with ShadowPad C2 IP addresses. These tools have been previously used by Winnti and LuoYu.
- There has been a notable overlap between the Spyder sample and a Worker component of the threat actor's Winnti 4.0 trojan as well.
Conclusion
Multiple Chinese state-sponsored actors have privately accessed and shared the ShadowPad infrastructure in the past, and by looking at its recent connections with other malware, this malware is expected to expand further in the future as well. Therefore, to stay protected, organizations are recommended to specifically monitor known TTPs associated with ShadowPad and other relevant malware groups.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/12ec_shutterstock_687323650.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_465668897.jpg)
