ShadowPad
Associated Software Descriptions |
|
Name | Description |
---|---|
POISONPLUG.SHADOW | (Citation: FireEye APT41 Aug 2019) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.(Citation: Kaspersky ShadowPad Aug 2017) |
.002 | Application Layer Protocol: File Transfer Protocols |
ShadowPad has used FTP for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017) |
||
.004 | Application Layer Protocol: DNS |
ShadowPad has used DNS tunneling for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017) |
||
Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
ShadowPad has encoded data as readable Latin characters.(Citation: Securelist ShadowPad Aug 2017) |
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
ShadowPad uses a DGA that is based on the day of the month for C2 servers.(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017)(Citation: FireEye APT41 Aug 2019) |
Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
ShadowPad maintains a configuration block and virtual file system in the Registry.(Citation: Kaspersky ShadowPad Aug 2017)(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
ShadowPad has injected a DLL into svchost.exe.(Citation: Kaspersky ShadowPad Aug 2017) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0081 | Tropic Trooper |
(Citation: Recorded Future RedEcho Feb 2021) |
G0131 | Tonto Team |
(Citation: Kaspersky CactusPete Aug 2020) |
G0096 | APT41 |
(Citation: FireEye APT41 Aug 2019) (Citation: Recorded Future RedEcho Feb 2021) |
G0143 | Aquatic Panda |
(Citation: Crowdstrike HuntReport 2022) |
G1006 | Earth Lusca |
(Citation: TrendMicro EarthLusca 2022) |
G0060 | BRONZE BUTLER |
(Citation: Recorded Future RedEcho Feb 2021) |
References
- Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
- Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
- CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.