ShadowPad is a modular backdoor – each plugin contains specific functionality that can be ‘plugged’ or ‘unplugged’ during runtime – in shellcode format.
It also allows dynamic loading of additional plugins which are not initially embedded in the sample from the C&C server.
ShadowPad is a modular backdoor in shellcode format.
On execution, a layer of an obfuscated shellcode loader is responsible for decrypting and loading a Root plugin.
While the sequence of operation in the Root plugin decrypts, it loads other plugins embedded in the shellcode into memory.
Along with the plugins embedded in the sample, additional plugins are allowed to be remotely uploaded from the C&C server, which allows users to dynamically add functionalities not included by default.
As luck would have it, the ShadowPad controller was accidentally discovered during private research. All of the stakeholders involved agreed to releasing screenshots but not the details of the actual file, so analysts unable to provide hashes for this component at present.
Analysis of the controller allowed to obtain a clear picture of how the builder generates the shellcodes, how the users manage the infected hosts, and the kinds of functions available on the controller. Written in Delphi, it has the capability to both generate malware and control backdoor communications.
The controller provides an interface to manage infected hosts, manage C&C server listeners and build new ShadowPad shellcode pieces. This is a relatively unique characteristic of malware used by Chinese espionage threat actors.
-Transfer: The transferring progress of files which are currently being transferred from and to the infected hosts.
-Listen: To control the C&C listeners and the protocols in use. Setting: Intended to be a setting panel, but there is no option on the list in this version.
-Builder: The ShadowPad shellcode builder.
The main page of the controller.
• Users: The list of infected hosts.
• Transfer: The transferring progress of files which are currently being transferred from and to the infected hosts.
• Listen: To control the C&C listeners and the protocols in use.
• Setting: Intended to be a setting panel, but there is no option on the list in this version.
• Builder: The ShadowPad shellcode builder.
The user can choose to enter the management console of a single infected computer.
The console allows the user to manage the plugin list and use the functions of each plugin. The plugins “Root” to “Http” are embedded in the samples by default.
If the user wants to use the functions of other plugins, those plugins need to be uploaded to the infected computer.
The plugin management page. The user can add or remove a plugin.Fig 5: The popup message of asking the user to upload a plugin.
The builder allows the user to modify the campaign code and notes, anti-debugger settings, installation settings (service and register), process injection settings, C&C servers and connection modes.
It also contains configuration import and export functionalities.
The builder in ShadowPad controller.
An intriguing question to address is whether ShadowPad is a privately shared attack framework or a privately developed modular malware platform for sale to specific groups.
Its design allows the users to remotely deploy new plugins to a backdoor.
In theory, anyone capable of producing a plugin that is encrypted and compressed in the correct format can add new functionalities to the backdoor freely.
However, the control interfaces of the plugins are hardcoded in the “Manager” page of the ShadowPad controller, and the controller itself does not include a feature to add a new control interface.
In other words, it is unlikely that ShadowPad was created as a collaborative attacking framework.
Only the plugins produced by the original developer could be included and used through the ShadowPad controller.
On the other hand, even if the control interface of a plugin is listed in the menu, not every available plugin is embedded in the ShadowPad samples built by the controller by default.
Once a plugin is not included in the compiled sample, the user needs to upload the corresponding plugin (encrypted and compressed in the correct format) and place it in the “Plugins” directory in the package during runtime on the client side. There is no configuration in the builder to allow the user to choose which plugins are compiled into the generated sample, so this setting can only be managed by the developer of the controller.
Any functionality can be easily removed from the bundle by removing the corresponding plugin from the directory.
If ShadowPad was not originally designed as an open framework, the following question is whether it is freely shared with or sold to its users.
The possible author ‘whg’ – and one of his close affiliates, Rose, who will be introduced in the following section – have been monetizing their malware development and hacking skills.
Both individuals sold self-developed malware, and Rose offered services such as software cracking, penetration testing and DDoS attacks6. If ShadowPad was developed by them or their close affiliates, it is more likely to be sold to – rather than freely shared with – other users under this context.
As discussed, the available functionalities to ShadowPad users are highly controlled by the seller of ShadowPad. Looking deeply into the plugin numbers and the distribution of different plugins embedded in around a hundred samples, analysts assessed that the seller is likely selling each plugin separately instead of offering a full bundle with all of the currently available plugins.
In other words, a buyer needs to pick how many plugins they need and acquire them from the seller. The seller does not provide all the functionality or capabilities by default.
Most of the samples contain less than nine plugins with the following plugins embedded: Root, Plugins, Config, Install, Online, TCP, HTTP, UDP and DNS.
This set of plugins can only support the installation of backdoors and communications with C&C servers, without providing further functionality. Actors owning samples with more than 16 plugins, which are all packed by the same loader and are likely to be used by a single closed group, are likely to be offered as ‘fully packaged’ versions of ShadowPad with the specially configured builders that can build samples with a full set of plugins.
In other cases, the actors can only compile ShadowPad backdoors with the basic set of plugins.
They need to manually upload other plugins if they want to use other functionalities.
During research, analysts found Tick – one of the threat groups with access to ShadowPad – developed a tool to extract the list of installed software information on an infected host while a plugin of ShadowPad with the same functionality – the plugin “Software” – was discovered in a sample used by another threat group in a similar time frame.
This shows that not every customer of ShadowPad decides to (or is able to) obtain all of the available plugins.
The plugins are likely to be provided separately.
The number of plugins embedded in the samplesSample Number 0102030405060012345678910111213141516171819
WHAT THREAT ACTORS ARE USING SHADOWPAD?Despite being the potential successor to PlugX, ShadowPad is sold privately to a limited set of customers. Analysts have identified at least 5 activity clusters of ShadowPad users.
APT41APT41 is the accepted naming convention for the activities conducted by two spinoffs of what was once referred to as ‘Winnti’, sub-groups – BARIUM (Tan Dailin aka Rose and Zhang Haoran) and LEAD (Chengdu 404 Network Technology Co., Ltd).
All of the individuals are based in Chengdu, Sichuan. Rose, Zhang Haoran, and Jiang Lizhi (AKA “BlackFox”, one of the responsible persons of Chengdu 404) were coworkers.
One of the actors, Rose – started his active collaboration on malware development with whg, the author of PlugX, when he was a member of the hacking group NCPH.
They developed “NCPH Remote Control Software” together. The executable of the controller was freely shared on NCPH websites, but they also declared that the source code was for sale. Aside from this, NCPH offered customized services of software cracking, malware development and penetration testing. Both Rose and whg were monetizing their malware development skills back in the day.
BARIUM (Rose and Zhang Haoran) were one of the earliest threat groups with access to ShadowPad.
Aside from some smaller-scale attacks against the gaming industry, they were accountable for several supply chain attacks], some of their victims included NetSarang, ASUS, and allegedly, CCleaner.
In the aforementioned incidents, the actors used ShadowPad as the primary backdoor of the intrusion after the initial infection phases.
During the supply chain attack against ASUS, the samples of ShadowPad were highly customized compared to other ShadowPad samples analysts analyzed.
Every layer of shellcode and plugin was packed with VMProtect, and the plugins had different plugin numbers. Another subgroup, LEAD, also used ShadowPad along with other backdoors to attack victims for both financial and espionage purposes.
They were reported to attack electronic providers and consumers, universities, telecommunication, NGO and foreign governments.Considering the long-term affiliation relationship between Rose and whg, analysts suspect that Rose likely had high privilege access to – or was a co-developer of – ShadowPad, and other close affiliates in Chengdu were likely sharing resources.
This could also explain why BARIUM was able to utilize a special version of ShadowPad in some of their attacks.
TICK AND TONTO TEAMTick and Tonto Team.
These two groups amalgamated into a new institution during the reorganization of the PLA, and soon thereafter analysts identified significant resource sharing between them, such as the overlaps of C&C infrastructure and the utilities of similar toolsets.
A noticeable change after the merge was that they started to use ShadowPad as their primary backdoor for conducting intrusion activities. In the past, they were known to develop their own backdoors for their operations.
The threat group conducted several operations with ShadowPad as the primary backdoor.
Internally, they called ShadowPad “Casper”, according to the PDB strings extracted from the customized loaders. Tick crafted and sent spear phishing emails to deliver ShadowPad in victims’ networks for information exfiltration and long-term espionage.
They exploited CVE-2019-948919 and CVE-2020-846820 in Trend Micro’s security solutions that were exposed to the Internet, in order to deliver ShadowPad into internal networks for further exploitation.
Based on the sample sets analysts collected, Tick used at least five different versions of ShadowPad; however, all of the samples only contained the basic set of plugins.
Although they turned from self-developed backdoors to the acquired or leaked backdoors, they still developed some customized tools for intrusion, such as a modified mimikatz, a screen capture tool, a packet transmission tool, a tool to list the software installed on a computer, and a VBScript command execution tool.
For instance, analysts uncovered a VBScript command execution tool builder which can generate a payload of VBScript with built-in evasion techniques to bypass TrendMicro products.
The self-developed tool to list the software strongly suggests that Tick was unable to obtain all of the available plugins, since a plugin with the same functionality was available at that time.
OPERATION REDBONUS
Analysts caught a ShadowPad activity cluster that had no clear link to known threat groups. Analysts tracks the activities of this cluster under the moniker ‘Operation Redbonus’.
All the samples analysts collected from Operation Redbonus were running the same version of ShadowPad.
During investigations, analysts also spotted other backdoors in use, such as Whitebird22, IceFog and a customized instance of PCShare. The actors behind this cluster appear to show interest in Indian targets with several DDNS domains spoofing some Indian institutions.
OPERATION REDKANKU
There is another small set of ShadowPad samples without clear attributions in the public domain.
All of the C&C servers extracted from the samples had a self-signed certificate b41948daacd4c081a58a14aa51c37af21738447b installed.
Whilst further attribution or overlaps are not available at the time of writing, some related samples were documented to be a part of the ProxyLogon attacks according to a report by ESET
FISHMONGER
Another activity cluster – tracked by researchers as Fishmonger.
The cluster is tracked based on the overlap of infrastructure and indicators, as well as some behavioral connections between different campaigns.
In past, the actors used a special version of ShadowPad which allowed them to generate samples with a handful of plugins embedded by default.
Later, they gained access to a new version of ShadowPad which had updates and more advanced obfuscation techniques.
They are now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring26, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike.
The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the US.
OTHERS
Some public reporting detail other possible users of ShadowPad, including LuckyMouse (ESET) and Tropic Trooper (PwC). However, analysts do not have visibility of this activity.
ASSESSMENT
Apart from the threat groups and activity clusters detailed above, there are still some unattributed ShadowPad samples in the sample set analysts collected and analyzed.
The nature of privately sold backdoors requires more context to begin analytically-sound attribution. There might be other unidentified actors using this backdoor, and it requires a rigorous approach when attempting to attribute ShadowPad campaigns.Since ShadowPad is a powerful backdoor with a complete set of functionalities, a number of its users (for instance, Tick and Fishmonger) deploy ShadowPad for the purpose of long-term espionage in victim environments.
Threat actors using ShadowPad select systems with high privileges on networks to reduce the probability of detection, such as AD servers or domain controllers.
Proactive scanning and periodical health checks on high-privilege hosts are essential to discover the footprints of attackers.
LANDSCAPE SHIFT: FROM DEVELOPING BACKDOORS TO ACQUIRING BACKDOORSIt is not a secret that a number of Chinese threat actors develop their own tool sets based on their needs during operations. However, established espionage threat actors also acquire tooling to add to their arsenals.
Tick was one of the most active users of ShadowPad according to research.
Prior to this, Tick was documented to be using self-developed backdoors including Darsef, xxmm and Datper.
A noticeable change analysts discovered during the monitoring of the threat group was that the actors later stopped the use of other self-developed backdoors after actively using ShadowPad (which they called Casper).
This example of the shift from ‘home-brewed’ backdoors to acquired malware marks a noticeable change influenced by the privately sold malware platform ShadowPad.
Acquiring a well-designed piece of malware significantly reduces the cost of operation and human resource needed to develop the malware in-house.
The service provider also keeps enhancing the stability and usability of the backdoor with new features added, unlike much of the commodity malware found in cybercriminal circles or underground forums.
Furthermore, the usage of shared malware provides espionage threat actors a layer of security in that it makes attribution much more difficult for defenders.
The popularity of malware such as ShadowPad and Cobalt Strike among Chinese espionage groups makes campaign identification significantly harder.