ShadowPad

ShadowPad Description

shadowpad malwareThe ShadowPad program is a particular piece of malware that managed to remain undetected in supply-chain networks and enable threat actors to have backdoor access to the compromised systems. The ShadowPad program was discovered in July 2017. The investigation into the ShadowPad cyber began with questionable DNS (Domain Name Server) requests that were reported to computer security authorities. The researchers were led to an unlikely culprit — a legitimate server management kit utilized by financial institutions, education organizations, telecom companies, factories, energy distributors and transportation firms.

ShadowPad's association with threat actors seeking data

A closer look at the server management kit revealed that a recent update through the official update channels added a new module to the software. The new module was responsible for the questionable DNS requests mentioned above. The corrupted server management kit was confirmed to come from the official developer and have a valid digital signature. Moreover, the new module was configured to contact a particular set of domains every 8 hours. The domains proved to be 'Command and Control' servers. The ShadowPad program reported general computer information like active username, IP address, associated domain, hostname and software configuration. A network-wide search showed that not all infected computers receive a response from the command servers. It is suspected that the threat actors go over the received DNS requests and target specific PCs that may have valuable data manually.

The Winnti Group and backdoor malware, the known threat actor with Chinese origins that develops and uses ShadowPad, kept updating it throughout 2019. A recent report by researchers working with ESET outlines the major new features added to ShadowPad.

ShadowPad does not obtain its C&C server address and protocol the way most other malware does. Instead, it parses information from publicly available pages, hosted by various legitimate services, including Valve's Steam profile pages, GitHub repos, even Google Docs files. It has been doing that for a while, but researchers discovered that there were newly timestamped modules, compiled in 2019, that use additional obfuscation and random module identifiers. The ShadowPad backdoor also uses a specific campaign identifier that is located in its configuration.

ShadowPad activities evolve to take aggressive destructive path

The actions of ShadowPad have evolved and the latest destructive actions take place in a series of steps, which are outlined in the Figure 1 infographic below. Sourced from the Eset Security website welivesecurity.com, the infographic represents the methods that threats out of the Winnti conduct for their infection and destruction on systems. Within the attack methods, one would take notice to the family of Winnti threats compromising many different entities and then ending up with a variation of ShadowPad and other threats, such as ShadowHammer.

winnti shadowpad threat malware attack

ShadowPad's configuration module contains a pool of encrypted strings that represent two separate URLs of publicly available pages on legitimate services, such as the aforementioned Google Docs or Steam profile pages. Those pages contain the real C&C server URL that the module decrypts. The campaign identifier string is also contained in the same pool. A lot of the publicly available documents have been taken down by the bad actors but a number of decrypted C&C server IPs have been recovered by researchers using Google Docs' document history feature.

A response from the command server was recorded shortly after the investigation into the ShadowPad started. The threat actors deployed a full-featured Backdoor Trojan that achieved persistence by writing a Registry key. That way the ShadowPad Backdoor Trojan managed to load with Windows and enable remote desktop access. The attackers were able to download more unsafe tools and install ransomware given the nature of the compromised systems. Fortunately, the ShadowPad malware would go down in cyber history as a missed opportunity since AV manufacturers managed to block its spread on time. The ShadowPad project may be revised on a later date and transformed into a new cyber-threat. You may want to check your PC for opened ports, poorly configured remote desktop accounts and questionable DNS requests using a trusted anti-malware suite.

Technical Information

File System Details

ShadowPad creates the following file(s):
# File Name Size MD5 Detection Count
1 file.exe 57,763,752 0009f4b9972660eeb23ff3a9dccd8d86 3
2 file.dll 180,432 97363d50a279492fda14cbab53429e75 0
More files

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.