ShadowPad

Malware & Tools · ShadowPad

· MalwareS0596 · Zararlı Yazılım

Type

malware

Techniques

Used By

8 groups

Platforms

Windows

Description

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017)

Tactic Coverage

command and control (7)discovery (6)stealth (6)privilege escalation (2)exfiltration (1)defense impairment (1)persistence (1)

Used By (8 groups)

G0096APT41Wicked Panda, Brass Typhoon G0143Aquatic Panda G0060BRONZE BUTLERREDBALDKNIGHT, Tick G1006Earth LuscaTAG-22, Charcoal Typhoon G0129Mustang PandaTA416, RedDelta G1042RedEcho G0131Tonto TeamEarth Akhlut, BRONZE HUNTLEY

Techniques (21)

T1016System Network Configuration Discovery

discovery

T1027Obfuscated Files or Information

stealth

T1027.011Fileless Storage

stealth

T1029Scheduled Transfer

exfiltration

T1033System Owner/User Discovery

discovery

T1055Process Injection

stealthprivilege escalation

References

https://attack.mitre.org/software/S0596 https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf https://securelist.com/shadowpad-in-corporate-networks/81432/https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf