SYMBOLCOMMON_NAMEaka. SYNONYMS
win.shadowpad (Back to overview)

ShadowPad

aka: POISONPLUG.SHADOW, XShellGhost

Actor(s): APT41, Axiom

There is no description at this point.

References
2020-11-23Youtube (OWASP DevSlop)Negar Shabab, Noushin Shabab
@online{shabab:20201123:compromised:6dd1417, author = {Negar Shabab and Noushin Shabab}, title = {{Compromised Compilers - A new perspective of supply chain cyber attacks}}, date = {2020-11-23}, organization = {Youtube (OWASP DevSlop)}, url = {https://www.youtube.com/watch?v=55kaaMGBARM}, language = {English}, urldate = {2020-11-23} } Compromised Compilers - A new perspective of supply chain cyber attacks
ShadowPad
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-09-18SymantecThreat Hunter Team
@online{team:20200918:apt41:363daa8, author = {Threat Hunter Team}, title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}}, date = {2020-09-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage}, language = {English}, urldate = {2020-09-23} } APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti
2020-09-08PTSecurityPTSecurity
@techreport{ptsecurity:20200908:shadowpad:2903f45, author = {PTSecurity}, title = {{ShadowPad: new activity from the Winnti group}}, date = {2020-09-08}, institution = {PTSecurity}, url = {https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf}, language = {English}, urldate = {2020-10-08} } ShadowPad: new activity from the Winnti group
CCleaner Backdoor Korlia ShadowPad TypeHash
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-14CrowdStrikeFalcon OverWatch Team
@online{team:20200714:manufacturing:3e552ec, author = {Falcon OverWatch Team}, title = {{Manufacturing Industry in the Adversaries’ Crosshairs}}, date = {2020-07-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/}, language = {English}, urldate = {2020-07-23} } Manufacturing Industry in the Adversaries’ Crosshairs
ShadowPad Snake Ransomware
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-01-31ESET ResearchMathieu Tartare
@online{tartare:20200131:winnti:9f891e4, author = {Mathieu Tartare}, title = {{Winnti Group targeting universities in Hong Kong}}, date = {2020-01-31}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/}, language = {English}, urldate = {2020-02-03} } Winnti Group targeting universities in Hong Kong
ShadowPad Winnti
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2017-08-15Kaspersky LabsGReAT
@online{great:20170815:shadowpad:3d5b9a0, author = {GReAT}, title = {{ShadowPad in corporate networks}}, date = {2017-08-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/shadowpad-in-corporate-networks/81432/}, language = {English}, urldate = {2019-12-20} } ShadowPad in corporate networks
ShadowPad
Yara Rules
[TLP:WHITE] win_shadowpad_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_shadowpad_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d442448 e8???????? 8d442458 50 e8???????? }
            // n = 5, score = 200
            //   8d442448             | lea                 eax, [esp + 0x48]
            //   e8????????           |                     
            //   8d442458             | lea                 eax, [esp + 0x58]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { e8???????? 6a0d 33d2 59 f7f1 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   6a0d                 | push                0xd
            //   33d2                 | xor                 edx, edx
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx

        $sequence_2 = { 50 57 ff7508 6a00 68e9fd0000 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   68e9fd0000           | push                0xfde9

        $sequence_3 = { 8b4508 33ff 47 885d0c }
            // n = 4, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33ff                 | xor                 edi, edi
            //   47                   | inc                 edi
            //   885d0c               | mov                 byte ptr [ebp + 0xc], bl

        $sequence_4 = { eb28 8b55f4 69d20ff7b17d bb1a68d7bf 2bda }
            // n = 5, score = 200
            //   eb28                 | jmp                 0x2a
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   69d20ff7b17d         | imul                edx, edx, 0x7db1f70f
            //   bb1a68d7bf           | mov                 ebx, 0xbfd7681a
            //   2bda                 | sub                 ebx, edx

        $sequence_5 = { c745bc20000000 ff15???????? 85c0 7507 53 8d4590 }
            // n = 6, score = 200
            //   c745bc20000000       | mov                 dword ptr [ebp - 0x44], 0x20
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   53                   | push                ebx
            //   8d4590               | lea                 eax, [ebp - 0x70]

        $sequence_6 = { 663919 7421 0fb639 c1ce08 83cf20 03f7 83c102 }
            // n = 7, score = 200
            //   663919               | cmp                 word ptr [ecx], bx
            //   7421                 | je                  0x23
            //   0fb639               | movzx               edi, byte ptr [ecx]
            //   c1ce08               | ror                 esi, 8
            //   83cf20               | or                  edi, 0x20
            //   03f7                 | add                 esi, edi
            //   83c102               | add                 ecx, 2

        $sequence_7 = { c1cb08 03d8 81f3a3d9357c 41 8a01 }
            // n = 5, score = 200
            //   c1cb08               | ror                 ebx, 8
            //   03d8                 | add                 ebx, eax
            //   81f3a3d9357c         | xor                 ebx, 0x7c35d9a3
            //   41                   | inc                 ecx
            //   8a01                 | mov                 al, byte ptr [ecx]

        $sequence_8 = { 3bd9 7cf5 3bd9 7c07 b803010000 }
            // n = 5, score = 200
            //   3bd9                 | cmp                 ebx, ecx
            //   7cf5                 | jl                  0xfffffff7
            //   3bd9                 | cmp                 ebx, ecx
            //   7c07                 | jl                  9
            //   b803010000           | mov                 eax, 0x103

        $sequence_9 = { 57 668945f6 ffd3 57 668945f8 }
            // n = 5, score = 200
            //   57                   | push                edi
            //   668945f6             | mov                 word ptr [ebp - 0xa], ax
            //   ffd3                 | call                ebx
            //   57                   | push                edi
            //   668945f8             | mov                 word ptr [ebp - 8], ax

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules