Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA

Cybersecurity researchers have detailed the inner workings of
ShadowPad, a sophisticated and modular backdoor that has
been adopted by a growing number of Chinese threat groups in recent
years, while also linking it to the country’s civilian and military
intelligence agencies.

“ShadowPad is decrypted in memory using a custom decryption
algorithm,” researchers from Secureworks said in a report shared
with The Hacker News. “ShadowPad extracts information about the
host, executes commands, interacts with the file system and
registry, and deploys new modules to extend functionality.”

ShadowPad^[1]
is a modular malware platform sharing noticeable overlaps to the
PlugX^[2]
malware and which has been put to use in high-profile attacks
against NetSarang, CCleaner, and ASUS, causing the operators to
shift tactics and update their defensive measures.

While initial campaigns that delivered ShadowPad were attributed
to a threat cluster tracked as Bronze Atlas^[3]
aka Barium – Chinese nationals working for a networking security
company named Chengdu 404^[4]
– it has since been used by multiple Chinese threat groups post
2019.

In a detailed overview of the malware in August 2021,
cybersecurity company SentinelOne dubbed^[5]
ShadowPad a “masterpiece of privately sold malware in Chinese
espionage.” A subsequent analysis by PwC in December 2021 disclosed^[6]
a bespoke packing mechanism – named ScatterBee – that’s used to
obfuscate malicious 32-bit and 64-bit payloads for ShadowPad
binaries.

The malware payloads are traditionally deployed to a host either
encrypted within a DLL loader or embedded inside a separate file
along with a DLL loader, which then decrypts and executes the
embedded ShadowPad payload in memory using a custom decryption
algorithm tailored to the malware version.

These DLL loaders execute the malware after being sideloaded by
a legitimate executable vulnerable to DLL search order hijacking^[7], a technique that allows
the execution of malware by hijacking the method used to look for
required DLLs to load into a program.

Select infection chains observed by Secureworks also involve a
third file that contains the encrypted ShadowPad payload, which
work by executing the legitimate binary (e.g., BDReinit.exe or
Oleview.exe) to sideload the DLL that, in turn, loads and decrypts
the third file.

Alternatively, the threat actor has placed the DLL file in the
Windows System32 directory so as to be loaded by the Remote Desktop
Configuration (SessionEnv) Service, ultimately leading to the
deployment of Cobalt Strike on compromised systems.

In one ShadowPad incident, the intrusions paved the way for
launching hands-on-keyboard attacks, which refer to attacks wherein
human hackers manually log into an infected system to execute
commands themselves rather than using automated scripts.

Additionally, Secureworks attributed distinct ShadowPad activity
clusters, including Bronze Geneva^[8]
(aka Hellsing), Bronze Butler^[9]
(aka Tick), and Bronze Huntley^[10] (aka Tonto Team), to
Chinese nation-state groups that operate in alignment with the
People’s Liberation Army Strategic Support Force (PLASSF^[11]).

“Evidence […] suggests that ShadowPad has been deployed by
MSS^[12]-affiliated threat
groups, as well as PLA-affiliated threat groups that operate on
behalf of the regional theater commands,” the researchers said.
“The malware was likely developed by threat actors affiliated with
Bronze Atlas and then shared with MSS and PLA threat groups around
2019.”