SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowpad (Back to overview)

ShadowPad

aka: POISONPLUG.SHADOW, XShellGhost

Actor(s): APT41, Axiom

There is no description at this point.

References
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2017-08-15Kaspersky LabsGReAT
@online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } ShadowPad in corporate networks
ShadowPad
Yara Rules
[TLP:WHITE] win_shadowpad_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_shadowpad_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ffd7 8d75d0 8945f4 e8???????? 8d45d0 e8???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d75d0               | lea                 esi, [ebp - 0x30]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   e8????????           |                     
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   e8????????           |                     

        $sequence_1 = { e8???????? 50 e8???????? 59 8d75ec a3???????? e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d75ec               | lea                 esi, [ebp - 0x14]
            //   a3????????           |                     
            //   e8????????           |                     

        $sequence_2 = { e8???????? 85c0 75a1 8d4314 50 e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75a1                 | jne                 0xffffffa3
            //   8d4314               | lea                 eax, [ebx + 0x14]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { 8b442440 2b442410 8b4c2444 1b4c2414 781e }
            // n = 5, score = 200
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   2b442410             | sub                 eax, dword ptr [esp + 0x10]
            //   8b4c2444             | mov                 ecx, dword ptr [esp + 0x44]
            //   1b4c2414             | sbb                 ecx, dword ptr [esp + 0x14]
            //   781e                 | js                  0x20

        $sequence_4 = { 8d45e0 c745fc00100001 e8???????? 8b7508 83650c00 837e4400 7e48 }
            // n = 7, score = 200
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   c745fc00100001       | mov                 dword ptr [ebp - 4], 0x1001000
            //   e8????????           |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   83650c00             | and                 dword ptr [ebp + 0xc], 0
            //   837e4400             | cmp                 dword ptr [esi + 0x44], 0
            //   7e48                 | jle                 0x4a

        $sequence_5 = { e8???????? 83660800 83660c00 59 895e08 897e0c 33c0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83660800             | and                 dword ptr [esi + 8], 0
            //   83660c00             | and                 dword ptr [esi + 0xc], 0
            //   59                   | pop                 ecx
            //   895e08               | mov                 dword ptr [esi + 8], ebx
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { c20400 8b06 85c0 740e 50 e8???????? }
            // n = 6, score = 200
            //   c20400               | ret                 4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 8bc6 83e003 8bd0 83ea00 7448 4a 7430 }
            // n = 7, score = 200
            //   8bc6                 | mov                 eax, esi
            //   83e003               | and                 eax, 3
            //   8bd0                 | mov                 edx, eax
            //   83ea00               | sub                 edx, 0
            //   7448                 | je                  0x4a
            //   4a                   | dec                 edx
            //   7430                 | je                  0x32

        $sequence_8 = { a3???????? ff7508 ff35???????? ffd0 c9 c3 55 }
            // n = 7, score = 200
            //   a3????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff35????????         |                     
            //   ffd0                 | call                eax
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_9 = { 897e0c 895e04 33c0 5f c3 }
            // n = 5, score = 200
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   895e04               | mov                 dword ptr [esi + 4], ebx
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   c3                   | ret                 

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules