SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowpad (Back to overview)

ShadowPad

aka: POISONPLUG.SHADOW, XShellGhost

Actor(s): APT41, Axiom


There is no description at this point.

References
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-08PTSecurityPTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45, author = {PTSecurity}, title = {{Shadowpad: новая активность группировки}}, date = {2020-09-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf}, language = {Russian}, urldate = {2020-09-15} } Shadowpad: новая активность группировки
CCleaner Backdoor Korlia ShadowPad
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-14CrowdStrikeFalcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec, author = {Falcon OverWatch Team}, title = {{Manufacturing Industry in the Adversaries’ Crosshairs}}, date = {2020-07-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/}, language = {English}, urldate = {2020-07-23} } Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake Ransomware
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2017-08-15Kaspersky LabsGReAT
@online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } ShadowPad in corporate networks
ShadowPad
Yara Rules
[TLP:WHITE] win_shadowpad_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_shadowpad_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 69c93a2a4290 2bc8 6a06 81e96ffcb767 5e 33d2 }
            // n = 6, score = 200
            //   69c93a2a4290         | imul                ecx, ecx, 0x90422a3a
            //   2bc8                 | sub                 ecx, eax
            //   6a06                 | push                6
            //   81e96ffcb767         | sub                 ecx, 0x67b7fc6f
            //   5e                   | pop                 esi
            //   33d2                 | xor                 edx, edx

        $sequence_1 = { 8d4590 50 8d45c0 e8???????? 8d4de8 51 e8???????? }
            // n = 7, score = 200
            //   8d4590               | lea                 eax, [ebp - 0x70]
            //   50                   | push                eax
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   e8????????           |                     
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_2 = { 8d45e4 e8???????? ff7008 8b7508 e8???????? }
            // n = 5, score = 200
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   e8????????           |                     
            //   ff7008               | push                dword ptr [eax + 8]
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_3 = { 53 56 33db 57 33d2 eb2d }
            // n = 6, score = 200
            //   53                   | push                ebx
            //   56                   | push                esi
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   33d2                 | xor                 edx, edx
            //   eb2d                 | jmp                 0x2f

        $sequence_4 = { 8bc7 8bcb e8???????? 33d2 85ff }
            // n = 5, score = 200
            //   8bc7                 | mov                 eax, edi
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   85ff                 | test                edi, edi

        $sequence_5 = { 8b4508 6a00 6800100000 ff750c c745fc10000000 ff30 ff15???????? }
            // n = 7, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   6800100000           | push                0x1000
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   c745fc10000000       | mov                 dword ptr [ebp - 4], 0x10
            //   ff30                 | push                dword ptr [eax]
            //   ff15????????         |                     

        $sequence_6 = { ff7510 ff750c 53 ff7508 e8???????? 33f6 3bc6 }
            // n = 7, score = 200
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   53                   | push                ebx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   33f6                 | xor                 esi, esi
            //   3bc6                 | cmp                 eax, esi

        $sequence_7 = { 8d8500ffffff 50 8b4508 8d7e01 e8???????? }
            // n = 5, score = 200
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d7e01               | lea                 edi, [esi + 1]
            //   e8????????           |                     

        $sequence_8 = { 33c0 8d4de8 e8???????? 8b7de0 8bc3 50 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   e8????????           |                     
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   8bc3                 | mov                 eax, ebx
            //   50                   | push                eax

        $sequence_9 = { 8b06 8d0c18 0fb639 8d440701 3b450c }
            // n = 5, score = 200
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8d0c18               | lea                 ecx, [eax + ebx]
            //   0fb639               | movzx               edi, byte ptr [ecx]
            //   8d440701             | lea                 eax, [edi + eax + 1]
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules