Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA


ShadowPad Malware

Cybersecurity researchers have detailed the inner workings of ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat groups in recent years, while also linking it to the country’s civilian and military intelligence agencies.

“ShadowPad is decrypted in memory using a custom decryption algorithm,” researchers from Secureworks said in a report shared with The Hacker News. “ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality.”

ShadowPad is a modular malware platform sharing noticeable overlaps to the PlugX malware and which has been put to use in high-profile attacks against NetSarang, CCleaner, and ASUS, causing the operators to shift tactics and update their defensive measures.

Automatic GitHub Backups

While initial campaigns that delivered ShadowPad were attributed to a threat cluster tracked as Bronze Atlas aka Barium – Chinese nationals working for a networking security company named Chengdu 404 – it has since been used by multiple Chinese threat groups post 2019.

In a detailed overview of the malware in August 2021, cybersecurity company SentinelOne dubbed ShadowPad a “masterpiece of privately sold malware in Chinese espionage.” A subsequent analysis by PwC in December 2021 disclosed a bespoke packing mechanism – named ScatterBee – that’s used to obfuscate malicious 32-bit and 64-bit payloads for ShadowPad binaries.

The malware payloads are traditionally deployed to a host either encrypted within a DLL loader or embedded inside a separate file along with a DLL loader, which then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm tailored to the malware version.

ShadowPad Malware

These DLL loaders execute the malware after being sideloaded by a legitimate executable vulnerable to DLL search order hijacking, a technique that allows the execution of malware by hijacking the method used to look for required DLLs to load into a program.

Select infection chains observed by Secureworks also involve a third file that contains the encrypted ShadowPad payload, which work by executing the legitimate binary (e.g.,…

Source…