Tag Archive for: ShadowPad

Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

/in


Jul 18, 2023THNMalware / Cyber Attack

ShadowPad Malware

An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that’s commonly associated with Chinese hacking crews.

Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022.

The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems.

The attack chain takes the form of a malicious installer for E-Office, an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless.

It’s currently not clear how the backdoored E-Office installer was delivered to the targets. That said, there’s no evidence to date that the build environment of the Pakistani government agency in question has been compromised.

This raises the possibility that the threat actor obtained the legitimate installer and tampered it to include malware, and then subsequently lured victims into running the trojanized version via social engineering attacks.

“Three files were added to the legitimate MSI installer: Telerik.Windows.Data.Validation.dll, mscoree.dll, and mscoree.dll.dat,” Trend Micro researcher Daniel Lunghi said in an updated analysis published today.

Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft, which is vulnerable to DLL side-loading and is used to sideload mscoree.dll that, in turn, loads mscoree.dll.dat, the ShadowPad payload.

Trend Micro said the obfuscation techniques used to conceal DLL and the decrypted final-stage malware are an evolution of an approach previously exposed by Positive Technologies in January 2021 in connection with a Chinese cyber espionage campaign undertaken by the Winnti group (aka APT41).

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats?…

Source…

Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA

/in


ShadowPad Malware

Cybersecurity researchers have detailed the inner workings of ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat groups in recent years, while also linking it to the country’s civilian and military intelligence agencies.

“ShadowPad is decrypted in memory using a custom decryption algorithm,” researchers from Secureworks said in a report shared with The Hacker News. “ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality.”

ShadowPad is a modular malware platform sharing noticeable overlaps to the PlugX malware and which has been put to use in high-profile attacks against NetSarang, CCleaner, and ASUS, causing the operators to shift tactics and update their defensive measures.

Automatic GitHub Backups

While initial campaigns that delivered ShadowPad were attributed to a threat cluster tracked as Bronze Atlas aka Barium – Chinese nationals working for a networking security company named Chengdu 404 – it has since been used by multiple Chinese threat groups post 2019.

In a detailed overview of the malware in August 2021, cybersecurity company SentinelOne dubbed ShadowPad a “masterpiece of privately sold malware in Chinese espionage.” A subsequent analysis by PwC in December 2021 disclosed a bespoke packing mechanism – named ScatterBee – that’s used to obfuscate malicious 32-bit and 64-bit payloads for ShadowPad binaries.

The malware payloads are traditionally deployed to a host either encrypted within a DLL loader or embedded inside a separate file along with a DLL loader, which then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm tailored to the malware version.

ShadowPad Malware

These DLL loaders execute the malware after being sideloaded by a legitimate executable vulnerable to DLL search order hijacking, a technique that allows the execution of malware by hijacking the method used to look for required DLLs to load into a program.

Select infection chains observed by Secureworks also involve a third file that contains the encrypted ShadowPad payload, which work by executing the legitimate binary (e.g.,…

Source…

RedEcho, ShadowPad — how Chinese hackers may have accessed critical Indian computer systems

/in




screen of a cell phone

© Provided by The Print


New Delhi: Speculation is rife whether last October’s massive power outage in Mumbai was caused by hackers linked to China after a New York Times report claimed there had been a cyber campaign targeting India amid the border standoff in Ladakh.

Maharashtra’s Energy Minister Nitin Raut Monday confirmed that the outage, which brought Mumbai to a near stop for several hours on 12 October, was a result of a cyberattack and called it “sabotage”. However, he didn’t elaborate further on where the cyberattack originated from.

The NYT report, dated 28 February, is based on a report by American cybersecurity firm Recorded Future, titled ‘China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions’. The study talked of a “campaign conducted by a China-linked threat activity group, RedEcho, targeting the Indian power sector”.

It identified 12 critical infrastructure entities in India that could have been targeted, which includes 10 power sector organisations and two maritime sector organisations.

Recorded Future had cited regional media in its report to say the power disruption was likely caused by malware found at an electricity despatch center near Mumbai. Despatch centres manage and monitor the efficient transmission of electricity through the power grid.

But the firm added: “At this time, the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated.”

The Union power ministry issued a report Monday, stating it had received an email from the Indian Computer Emergency Response Team (CERT-In) on 19 November 2020 about a malware threat ShadowPad “at some control centres of POSOCO (Power System Operation Corporation Limited)”.

The malware ShadowPad has been linked to China-backed hackers in the past.

The ministry said it had also received an email on 12 February 2021 from the National Critical Information Infrastructure Protection Centre (NCIIPC) that said, “Chinese state-sponsored threat Actor group known as Red Echo is targeting Indian Power sector’s Regional Load Dispatch Centres (RLDCs) along with State Load Dispatch Centres (SLDCs).”

The ministry…

Source…

ShadowPad: Backdoor uncovered in NetSarang server management software – The INQUIRER

/in

The INQUIRER

ShadowPad: Backdoor uncovered in NetSarang server management software
The INQUIRER
SOUTH KOREAN SOFTWARE MAKER NetSarang has admitted that recent builds of all its software products were shipped with backdoors believed to have been slipped-in by hackers from mainland China. The malware was picked up in an investigation by …

and more »

China hackers – read more