Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент ShadowPad
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
ShadowPad
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017)
ID: S0596
Associated Software: POISONPLUG.SHADOW
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 23 Mar 2021
Last Modified: 17 Oct 2022

Associated Software Descriptions
Name Description
POISONPLUG.SHADOW (Citation: FireEye APT41 Aug 2019)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.(Citation: Kaspersky ShadowPad Aug 2017)
.002 Application Layer Protocol: File Transfer Protocols

ShadowPad has used FTP for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017)

.004 Application Layer Protocol: DNS

ShadowPad has used DNS tunneling for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017)

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

ShadowPad has encoded data as readable Latin characters.(Citation: Securelist ShadowPad Aug 2017)
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

ShadowPad uses a DGA that is based on the day of the month for C2 servers.(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017)(Citation: FireEye APT41 Aug 2019)
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

ShadowPad has injected a DLL into svchost.exe.(Citation: Kaspersky ShadowPad Aug 2017)

Groups That Use This Software
ID Name References
G0081 Tropic Trooper

(Citation: Recorded Future RedEcho Feb 2021)

G0131 Tonto Team

(Citation: Kaspersky CactusPete Aug 2020)

G0096 APT41

(Citation: FireEye APT41 Aug 2019) (Citation: Recorded Future RedEcho Feb 2021)

G1006 Earth Lusca

(Citation: TrendMicro EarthLusca 2022)

G0060 BRONZE BUTLER

(Citation: Recorded Future RedEcho Feb 2021)

References

  1. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  2. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  3. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
  4. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
  5. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  6. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.