Other ShadowPad samples from 2018 also deviated from the typical two-file execution chain.
Additionally, CTU analysis revealed a sample that used AppLaunch.exe followed by mscoree.dll and. Third-party researchers have also identified three-file ShadowPad execution chains that begin with consent.exe (followed by secur32.dll and ) and AppLaunch.exe (followed by mscoree.dll and ). CTU researchers have attributed campaigns using these execution chains to the Chinese BRONZE UNIVERSITY threat group, which has targeted transportation, natural resource, energy, and non-governmental organizations. The third file in the BDReinit.exe execution chain is in the Oleview.exe execution chain, it is. CTU researchers observed threat actors using BDReinit.exe or Oleview.exe as initial files in the three-file ShadowPad execution chain. These chains execute the legitimate executable (usually renamed), sideload the ShadowPad DLL loader, and load and decrypt the third file. Legitimate executable and DLL loader filenames used to load ShadowPad.ĬTU researchers identified ShadowPad execution chains involving a third file that contains the encrypted ShadowPad payload. Table 1 lists legitimate executable and malicious DLL pairs that CTU researchers observed in analyzed samples. The DLL loader then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm specific to the malware version. ShadowPad DLL loaders are sideloaded by a legitimate executable vulnerable to DLL search order hijacking. The majority of ShadowPad samples analyzed by CTU researchers were two-file execution chains: an encrypted ShadowPad payload embedded in a DLL loader. These DLL loaders decrypt and execute ShadowPad in memory after being sideloaded by a legitimate executable vulnerable to DLL search order hijacking. CTU researchers discovered that ShadowPad payloads are deployed to a host either encrypted within a DLL loader or within a separate file alongside a DLL loader. ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality. CTU™ researchers have identified multiple ShadowPad versions based on these distinct algorithms. ShadowPad is decrypted in memory using a custom decryption algorithm. Evidence of infrastructure and malware crossover among threat groups likely operating within the same theater command suggests that PLA reforms could be facilitating collaboration among these groups. These theater commands were introduced in the PLA reforms announced in 2015. Some clusters that target China's 'near abroad' appear to be linked to PLA theater commands. Secureworks® Counter Threat Unit™ (CTU) analysis of ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People's Liberation Army (PLA). A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals. The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017.
0 kommentar(er)
