SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowpad (Back to overview)

ShadowPad

aka: POISONPLUG.SHADOW, XShellGhost

Actor(s): APT41, Axiom

There is no description at this point.

References
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-01-14PTSecurityPT ESC Threat Intelligence
@online{intelligence:20210114:higaisa:4676ec7, author = {PT ESC Threat Intelligence}, title = {{Higaisa or Winnti? APT41 backdoors, old and new}}, date = {2021-01-14}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/}, language = {English}, urldate = {2021-02-09} } Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad
2020-12-10ESET ResearchMathieu Tartare
@online{tartare:20201210:operation:0eecfc8, author = {Mathieu Tartare}, title = {{Operation StealthyTrident: corporate software under attack}}, date = {2020-12-10}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/}, language = {English}, urldate = {2020-12-10} } Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger
2020-11-23Youtube (OWASP DevSlop)Negar Shabab, Noushin Shabab
@online{shabab:20201123:compromised:6dd1417, author = {Negar Shabab and Noushin Shabab}, title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}}, date = {2020-11-23}, organization = {Youtube (OWASP DevSlop)}, url = {https://www.youtube.com/watch?v=55kaaMGBARM}, language = {English}, urldate = {2020-11-23} } Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-08PTSecurityPTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45, author = {PTSecurity}, title = {{ShadowPad: new activity from the Winnti group}}, date = {2020-09-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf}, language = {English}, urldate = {2020-10-08} } ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-14CrowdStrikeFalcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec, author = {Falcon OverWatch Team}, title = {{Manufacturing Industry in the Adversaries’ Crosshairs}}, date = {2020-07-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/}, language = {English}, urldate = {2020-07-23} } Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake Ransomware
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2017-08-15Kaspersky LabsGReAT
@online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } ShadowPad in corporate networks
ShadowPad
Yara Rules
[TLP:WHITE] win_shadowpad_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_shadowpad_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897e04 8b4608 3bc7 740d 50 e8???????? 59 }
            // n = 7, score = 200
            //   897e04               | mov                 dword ptr [esi + 4], edi
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   3bc7                 | cmp                 eax, edi
            //   740d                 | je                  0xf
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_1 = { 2b442410 8b4c2444 1b4c2414 781e }
            // n = 4, score = 200
            //   2b442410             | sub                 eax, dword ptr [esp + 0x10]
            //   8b4c2444             | mov                 ecx, dword ptr [esp + 0x44]
            //   1b4c2414             | sbb                 ecx, dword ptr [esp + 0x14]
            //   781e                 | js                  0x20

        $sequence_2 = { 85c0 7410 8d75e8 e8???????? 6a0d 5f }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   8d75e8               | lea                 esi, [ebp - 0x18]
            //   e8????????           |                     
            //   6a0d                 | push                0xd
            //   5f                   | pop                 edi

        $sequence_3 = { 88144b 8a0408 8b560c c0e804 }
            // n = 4, score = 200
            //   88144b               | mov                 byte ptr [ebx + ecx*2], dl
            //   8a0408               | mov                 al, byte ptr [eax + ecx]
            //   8b560c               | mov                 edx, dword ptr [esi + 0xc]
            //   c0e804               | shr                 al, 4

        $sequence_4 = { 57 50 ff742420 ff15???????? 8d742468 e8???????? }
            // n = 6, score = 200
            //   57                   | push                edi
            //   50                   | push                eax
            //   ff742420             | push                dword ptr [esp + 0x20]
            //   ff15????????         |                     
            //   8d742468             | lea                 esi, [esp + 0x68]
            //   e8????????           |                     

        $sequence_5 = { 8975dc 8975e4 8975e0 e8???????? }
            // n = 4, score = 200
            //   8975dc               | mov                 dword ptr [ebp - 0x24], esi
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   8975e0               | mov                 dword ptr [ebp - 0x20], esi
            //   e8????????           |                     

        $sequence_6 = { 897c2410 897c2414 8d442440 50 8d44241c 50 }
            // n = 6, score = 200
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   897c2414             | mov                 dword ptr [esp + 0x14], edi
            //   8d442440             | lea                 eax, [esp + 0x40]
            //   50                   | push                eax
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   50                   | push                eax

        $sequence_7 = { 8d850cefffff 50 8d45c0 e8???????? 8d4de8 51 e8???????? }
            // n = 7, score = 200
            //   8d850cefffff         | lea                 eax, [ebp - 0x10f4]
            //   50                   | push                eax
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   e8????????           |                     
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_8 = { a3???????? ff7508 ff35???????? ffd0 c9 c3 55 }
            // n = 7, score = 200
            //   a3????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff35????????         |                     
            //   ffd0                 | call                eax
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_9 = { 8d0481 8b0410 03c2 3b5d08 7410 ff45fc }
            // n = 6, score = 200
            //   8d0481               | lea                 eax, [ecx + eax*4]
            //   8b0410               | mov                 eax, dword ptr [eax + edx]
            //   03c2                 | add                 eax, edx
            //   3b5d08               | cmp                 ebx, dword ptr [ebp + 8]
            //   7410                 | je                  0x12
            //   ff45fc               | inc                 dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules