Security researchers who took a deep dive into the ShadowPad malware platform discovered a new controller and several details that shed light on how this modular malware operates and may pose a threat to enterprise defenders.
ShadowPad first emerged in 2015 and is used by at least four clusters of espionage activity, report SentinelLabs researchers who have been analyzing the threat. It has been involved in multiple, high-profile supply chain attacks, including CCleaner, NetSarang, and ShadowHammer.
Over the years, the malware platform has spread across state-sponsored Chinese groups that previously relied on attack tools such as PlugX, RedLeaves, and other remote access Trojans (RATs). Prior to ShadowPad's emergence, there was a sense of a "digital order master" sharing the malware among threat groups but no concrete understanding of how the process worked.
The researchers' newest findings include a controller that gave them a clearer picture of how the builder generates shellcodes, how attackers manage infected hosts, and the controller's different capabilities.
"ShadowPad is the preferred, or more desirable, tool for these groups and starts to replace tools like PlugX that had been around for so long," says J.A. Guerrero-Saade, principal threat researcher at SentinelOne, While the relationship between PlugX and ShadowPad has been discussed, the new findings indicate ShadowPad is "highly likely" to be the successor to PlugX.
Unlike PlugX, which is publicly sold, ShadowPad is privately shared among a limited set of users. It is a modular platform, which Guerrero-Saade says is significant. The most advanced attackers the research team has observed tend to refer to modular frameworks in their campaigns.
"The idea is, you have a main platform you infect a target with, and then you can use different plug-ins to expand your capabilities without having to replace that main malware, without having to code a whole new separate thing," he explains, later adding, "It's one of the bigger evolutions that ShadowPad presents."
ShadowPad is a modular backdoor in shellcode format. When it's executed, a layer of an obfuscated shellcode loader decrypts and loads a Root plugin. While the operations in the Root plugin are decrypted, the malware loads other plugins embedded into shellcode into memory. Additional plugins can be uploaded from command-and-control (C2) server, so attackers can add new functionalities that aren't included by default.
In theory, anyone who can build a plug-in that is encrypted and compressed in the correct format could add new capabilities to the backdoor. But researchers found ShadowPad wasn't designed as a collaborative framework. Only plug-ins created by the original developer can be included and used in the ShadowPad controller, and its seller has tight control over them.
"Looking deeply into the plugin numbers and the distribution of different plugins embedded in around a hundred samples, we assessed that the seller is likely selling each plugin separately instead of offering a full bundle with all of the currently available plugins," researchers explain. A buyer would need to choose the number of plugins they need, and get them from the seller.
It takes a specific kind of format and platform knowledge to be able to develop plug-ins, and Guerrero-Saade says there hasn't been any variation in that. He describes the sale of plug-ins as a "tiered system" in which the seller chooses to give specific capabilities to specific people, and often plug-ins are inaccessible or too expensive for the buyers who want them. In this case, they take matters into their own hands.
"Some of the groups we've seen not having access to different plug-ins we know to be available … we see them creating their own tools to do the same thing in a sort of redundant fashion," Guerrero-Saade says.
Analysis of the controller revealed it's written in Delphi and has the ability to both generate malware and control backdoor communications. The controller has an interface to manage infected hosts and C2 servers and build new ShadowPad shellcode pieces – a trait they call "a relatively unique characteristic of malware used by Chinese espionage threat actors."
The malware is privately sold to a small group of customers. SentinelOne has identified at least five activity clusters of ShadowPad users since 2017. These include APT41, the name for activities conducted by two spin-offs of what used to be called "Winnti": Barium and Lead. The researchers are tracking its other customers as Tick and Tonto Team, Operation Redbonus, Operation RedKanku, and Fishmonger.
Buying Instead of Building
Some attackers have stopped developing their own backdoors, opting instead to use ShadowPad. This points to a shift, researchers say, that is largely influenced by the privately sold platform. Buying a piece of malware lowers the cost of operation and human resources needed to develop the malware in-house.
"If all these groups make their own tools, they might make mistakes, not be as good developers, have bugs and issues … all different kinds of problems that attackers who develop their own tools are familiar with," Guerrero-Saade explains. Still, there is a downside: Buying malware can be prohibitively expensive for attackers, and not everyone can access ShadowPad's capabilities.
Unfortunately for defenders, the growth in use of ShadowPad provides adversaries with a layer of security and makes it difficult to attribute attack activity. When it first emerged on the scene, researchers considered ShadowPad to be used by one group. Seeing multiple groups use it is "all the more concerning," he adds, as it's a very capable tool that may bypass detection.
Organizations relying on security tools that are doing basic endpoint detection and response (EDR) logging are going to have a hard time with an attack tool that resides in memory, he continues. Because ShadowPad loads plug-ins directly into memory, it's harder for security products to pick up on.
"It's a fantastic tool for these attackers and presents defenders with new challenges," he says.