Security News > 2022 > February > Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA

Cybersecurity researchers have detailed the inner workings of ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat groups in recent years, while also linking it to the country's civilian and military intelligence agencies.

ShadowPad is a modular malware platform sharing noticeable overlaps to the PlugX malware and which has been put to use in high-profile attacks against NetSarang, CCleaner, and ASUS, causing the operators to shift tactics and update their defensive measures.

While initial campaigns that delivered ShadowPad were attributed to a threat cluster tracked as Bronze Atlas aka Barium - Chinese nationals working for a networking security company named Chengdu 404 - it has since been used by multiple Chinese threat groups post 2019.

In a detailed overview of the malware in August 2021, cybersecurity company SentinelOne dubbed ShadowPad a "Masterpiece of privately sold malware in Chinese espionage." A subsequent analysis by PwC in December 2021 disclosed a bespoke packing mechanism - named ScatterBee - that's used to obfuscate malicious 32-bit and 64-bit payloads for ShadowPad binaries.

The malware payloads are traditionally deployed to a host either encrypted within a DLL loader or embedded inside a separate file along with a DLL loader, which then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm tailored to the malware version.

"Evidence [] suggests that ShadowPad has been deployed by MSS-affiliated threat groups, as well as PLA-affiliated threat groups that operate on behalf of the regional theater commands," the researchers said.

News URL

https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html