Skip to content

S0596 ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. 324

Item Value
ID S0596
Associated Names POISONPLUG.SHADOW
Type MALWARE
Version 1.2
Created 23 March 2021
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
POISONPLUG.SHADOW 1

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.4
enterprise T1071.002 File Transfer Protocols ShadowPad has used FTP for C2 communications.4
enterprise T1071.004 DNS ShadowPad has used DNS tunneling for C2 communications.4
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding ShadowPad has encoded data as readable Latin characters.2
enterprise T1140 Deobfuscate/Decode Files or Information ShadowPad has decrypted a binary blob to start execution.4
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms ShadowPad uses a DGA that is based on the day of the month for C2 servers.241
enterprise T1070 Indicator Removal ShadowPad has deleted arbitrary Registry values.4
enterprise T1105 Ingress Tool Transfer ShadowPad has downloaded code from a C2 server.2
enterprise T1112 Modify Registry ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.45
enterprise T1095 Non-Application Layer Protocol ShadowPad has used UDP for C2 communications.4
enterprise T1027 Obfuscated Files or Information ShadowPad has encrypted its payload, a virtual file system, and various files.25
enterprise T1027.011 Fileless Storage ShadowPad maintains a configuration block and virtual file system in the Registry.45
enterprise T1057 Process Discovery ShadowPad has collected the PID of a malicious process.4
enterprise T1055 Process Injection ShadowPad has injected an install module into a newly created process.4
enterprise T1055.001 Dynamic-link Library Injection ShadowPad has injected a DLL into svchost.exe.4
enterprise T1029 Scheduled Transfer ShadowPad has sent data back to C2 every 8 hours.2
enterprise T1082 System Information Discovery ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.4
enterprise T1016 System Network Configuration Discovery ShadowPad has collected the domain name of the victim system.4
enterprise T1033 System Owner/User Discovery ShadowPad has collected the username of the victim system.4
enterprise T1124 System Time Discovery ShadowPad has collected the current date and time of the victim system.4

Groups That Use This Software

ID Name References
G0060 BRONZE BUTLER 3
G0081 Tropic Trooper 3
G1006 Earth Lusca 5
G0096 APT41 13
G0131 Tonto Team 6

References

  1. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  2. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021. 

  3. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021. 

  4. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  5. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  6. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.