Security researchers who took a deep dive into the ShadowPad malware platform discovered a new controller and several details that shed light on how this modular malware operates and may pose a threat to enterprise defenders.
ShadowPad first emerged in 2015 and is used by at least four clusters of espionage activity, report
SentinelLabs researchers who have been analyzing the threat. It has been involved in multiple, high-profile supply chain attacks, including
CCleaner, NetSarang, and
ShadowHammer.
Over the years, the malware platform has spread across state-sponsored Chinese groups that previously relied on attack tools such as PlugX, RedLeaves, and other remote access Trojans (RATs). Prior to ShadowPad's emergence, there was a sense of a "digital order master" sharing the malware among threat groups but no concrete understanding of how the process worked.
The researchers' newest findings include a controller that gave them a clearer picture of how the builder generates shellcodes, how attackers manage infected hosts, and the controller's different capabilities.
"ShadowPad is the preferred, or more desirable, tool for these groups and starts to replace tools like PlugX that had been around for so long," says J.A. Guerrero-Saade, principal threat researcher at SentinelOne, While the relationship between PlugX and ShadowPad has been discussed, the new findings indicate ShadowPad is "highly likely" to be the successor to PlugX.
Unlike PlugX, which is publicly sold, ShadowPad is privately shared among a limited set of users. It is a modular platform, which Guerrero-Saade says is significant. The most advanced attackers the research team has observed tend to refer to modular frameworks in their campaigns.
"The idea is, you have a main platform you infect a target with, and then you can use different plug-ins to expand your capabilities without having to replace that main malware, without having to code a whole new separate thing," he explains, later adding, "It's one of the bigger evolutions that ShadowPad presents."
ShadowPad is a modular backdoor in shellcode format. When it's executed, a layer of an obfuscated shellcode loader decrypts and loads a Root plugin. While the operations in the Root plugin are decrypted, the malware loads other plugins embedded into shellcode into memory. Additional plugins can be uploaded from command-and-control (C2) server, so attackers can add new functionalities that aren't included by default.
