SentinelLabs releases in-depth study on ShadowPad malware
August 2021 by SentinelLabs
SentinelLabs has released a new in-depth study of ShadowPad, the privately-sold modular malware platform often used by various Chinese threat activity groups, delving into its origin, usage and ecosystem, and discussing local personas possible involved in the development of ShadowPad as an iterative successor to PlugX.
As you may recall, Shadowpad activity was spotted in the March 2021 attack on Microsoft Exchange servers.
Key findings include:
• It is likely that ShadowPad is a privately sold modular malware rather than a privately shared attack framework, and the seller is likely selling each plugin separately instead of offering a full bundle with all of the currently available plugins.
• The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors. Some threat groups stopped developing their own backdoors after they gained access to ShadowPad, and ShadowPad is regularly updated with more advanced anti-detection and persistence techniques.
• SentinelOne has identified at least five activity clusters of ShadowPad users since 2017: APT41, Tick & Tonto Team, Operation Redbonus, Operation Redkanku, Fishmonger. BARIUM (Rose and Zhang Haoran) was one of the earliest threat groups with access to ShadowPad. Aside from some smaller-scale attacks against the gaming industry, they were accountable for several supply chain attacks from 2017 to 2018. Some of their victims included NetSarang, ASUS, and allegedly, CCleaner.
• Considering the long-term affiliation relationship between Rose and whg, Rose likely had high privilege access to – or was a co-developer of – ShadowPad, and other close affiliates in Chengdu were likely sharing resources. This could also explain why BARIUM was able to utilise a special version of ShadowPad in some of their attacks.
• Another subgroup, LEAD, also used ShadowPad along with other backdoors to attack victims for both financial and espionage purposes. They were reported to attack electronic providers and consumers, universities, telecommunication, NGO and foreign governments.