[BreachExchange] ShadowPad Malware Platform Proves a Threat to Watch

[Sophia Kingsbury]

https://www.darkreading.com/threat-intelligence/shadowpad-malware-platform-proves-a-threat-to-watch

Security researchers who took a deep dive into the ShadowPad malware
platform discovered a new controller and several details that shed light on
how this modular malware operates and may pose a threat to enterprise
defenders.

ShadowPad first emerged in 2015 and is used by at least four clusters of
espionage activity, report SentinelLabs researchers who have been analyzing
the threat. It has been involved in multiple, high-profile supply chain
attacks, including CCleaner, NetSarang, and ShadowHammer.

Over the years, the malware platform has spread across state-sponsored
Chinese groups that previously relied on attack tools such as PlugX,
RedLeaves, and other remote access Trojans (RATs). Prior to ShadowPad's
emergence, there was a sense of a "digital order master" sharing the
malware among threat groups but no concrete understanding of how the
process worked.

The researchers' newest findings include a controller that gave them a
clearer picture of how the builder generates shellcodes, how attackers
manage infected hosts, and the controller's different capabilities.

"ShadowPad is the preferred, or more desirable, tool for these groups and
starts to replace tools like PlugX that had been around for so long," says
J.A. Guerrero-Saade, principal threat researcher at SentinelOne, While the
relationship between PlugX and ShadowPad has been discussed, the new
findings indicate ShadowPad is "highly likely" to be the successor to PlugX.

Unlike PlugX, which is publicly sold, ShadowPad is privately shared among a
limited set of users. It is a modular platform, which Guerrero-Saade says
is significant. The most advanced attackers the research team has observed
tend to refer to modular frameworks in their campaigns.

"The idea is, you have a main platform you infect a target with, and then
you can use different plug-ins to expand your capabilities without having
to replace that main malware, without having to code a whole new separate
thing," he explains, later adding, "It's one of the bigger evolutions that
ShadowPad presents."

ShadowPad is a modular backdoor in shellcode format. When it's executed, a
layer of an obfuscated shellcode loader decrypts and loads a Root plugin.
While the operations in the Root plugin are decrypted, the malware loads
other plugins embedded into shellcode into memory. Additional plugins can
be uploaded from command-and-control (C2) server, so attackers can add new
functionalities that aren't included by default.

In theory, anyone who can build a plug-in that is encrypted and compressed
in the correct format could add new capabilities to the backdoor. But
researchers found ShadowPad wasn't designed as a collaborative framework.
Only plug-ins created by the original developer can be included and used in
the ShadowPad controller, and its seller has tight control over them.

"Looking deeply into the plugin numbers and the distribution of different
plugins embedded in around a hundred samples, we assessed that the seller
is likely selling each plugin separately instead of offering a full bundle
with all of the currently available plugins," researchers explain. A buyer
would need to choose the number of plugins they need, and get them from the
seller.

It takes a specific kind of format and platform knowledge to be able to
develop plug-ins, and Guerrero-Saade says there hasn't been any variation
in that. He describes the sale of plug-ins as a "tiered system" in which
the seller chooses to give specific capabilities to specific people, and
often plug-ins are inaccessible or too expensive for the buyers who want
them. In this case, they take matters into their own hands.

"Some of the groups we've seen not having access to different plug-ins we
know to be available … we see them creating their own tools to do the same
thing in a sort of redundant fashion," Guerrero-Saade says.

Analysis of the controller revealed it's written in Delphi and has the
ability to both generate malware and control backdoor communications. The
controller has an interface to manage infected hosts and C2 servers and
build new ShadowPad shellcode pieces – a trait they call "a relatively
unique characteristic of malware used by Chinese espionage threat actors."

The malware is privately sold to a small group of customers. SentinelOne
has identified at least five activity clusters of ShadowPad users since
2017. These include APT41, the name for activities conducted by two
spin-offs of what used to be called "Winnti": Barium and Lead. The
researchers are tracking its other customers as Tick and Tonto Team,
Operation Redbonus, Operation RedKanku, and Fishmonger.

Buying Instead of Building

Some attackers have stopped developing their own backdoors, opting instead
to use ShadowPad. This points to a shift, researchers say, that is largely
influenced by the privately sold platform. Buying a piece of malware lowers
the cost of operation and human resources needed to develop the malware
in-house.

"If all these groups make their own tools, they might make mistakes, not be
as good developers, have bugs and issues … all different kinds of problems
that attackers who develop their own tools are familiar with,"
Guerrero-Saade explains. Still, there is a downside: Buying malware can be
prohibitively expensive for attackers, and not everyone can access
ShadowPad's capabilities.

Unfortunately for defenders, the growth in use of ShadowPad provides
adversaries with a layer of security and makes it difficult to attribute
attack activity. When it first emerged on the scene, researchers considered
ShadowPad to be used by one group. Seeing multiple groups use it is "all
the more concerning," he adds, as it's a very capable tool that may bypass
detection.

Organizations relying on security tools that are doing basic endpoint
detection and response (EDR) logging are going to have a hard time with an
attack tool that resides in memory, he continues. Because ShadowPad loads
plug-ins directly into memory, it's harder for security products to pick up
on.

"It's a fantastic tool for these attackers and presents defenders with new
challenges," he says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210820/a759bc63/attachment.html>