ShadowPad Malware Analysis

Summary

The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals. Secureworks® Counter Threat Unit™ (CTU) analysis of ShadowPad samples revealed clusters of activity linked to threat groups affiliated with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People’s Liberation Army (PLA).

Some clusters that target China’s ‘near abroad’ appear to be linked to PLA theater commands. These theater commands were introduced in the PLA reforms announced in 2015. Evidence of infrastructure and malware crossover among threat groups likely operating within the same theater command suggests that PLA reforms could be facilitating collaboration among these groups.

ShadowPad is decrypted in memory using a custom decryption algorithm. CTU™ researchers have identified multiple ShadowPad versions based on these distinct algorithms. ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality. CTU researchers discovered that ShadowPad payloads are deployed to a host either encrypted within a DLL loader or within a separate file alongside a DLL loader. These DLL loaders decrypt and execute ShadowPad in memory after being sideloaded by a legitimate executable vulnerable to DLL search order hijacking.

ShadowPad DLL loader execution

The majority of ShadowPad samples analyzed by CTU researchers were two-file execution chains: an encrypted ShadowPad payload embedded in a DLL loader. ShadowPad DLL loaders are sideloaded by a legitimate executable vulnerable to DLL search order hijacking. The DLL loader then decrypts and executes the embedded ShadowPad payload in memory using a custom decryption algorithm specific to the malware version. Table 1 lists legitimate executable and malicious DLL pairs that CTU researchers observed in analyzed samples.

Table 1. Legitimate executable and DLL loader filenames used to load ShadowPad.

CTU researchers identified ShadowPad execution chains involving a third file that contains the encrypted ShadowPad payload. These chains execute the legitimate executable (usually renamed), sideload the ShadowPad DLL loader, and load and decrypt the third file. CTU researchers observed threat actors using BDReinit.exe or Oleview.exe as initial files in the three-file ShadowPad execution chain. The third file in the BDReinit.exe execution chain is log.dll.dat; in the Oleview.exe execution chain, it is iviewers.dll.dat. CTU researchers have attributed campaigns using these execution chains to the Chinese BRONZE UNIVERSITY threat group, which has targeted transportation, natural resource, energy, and non-governmental organizations. Third-party researchers have also identified three-file ShadowPad execution chains that begin with consent.exe (followed by secur32.dll and secur32.dll.dat) and AppLaunch.exe (followed by mscoree.dll and mscoree.dll.dat). Additionally, CTU analysis revealed a sample that used AppLaunch.exe followed by mscoree.dll and mscoree.dll.mui.

Other ShadowPad samples from 2018 also deviated from the typical two-file execution chain. Those samples, which used the filename TSVIPSrv.DLL, are placed in the Windows System32 directory and are loaded by the Windows SessionEnv Service, which is vulnerable to DLL hijacking. CTU researchers observed BRONZE ATLAS using this technique in 2021 to load other payloads via this filename, including Cobalt Strike.

CTU researchers discovered ShadowPad samples sharing behavioral similarities such as injecting the decrypted ShadowPad payload into a newly launched target process and establishing persistence on a compromised host specified in the configuration settings. Figure 1 lists configuration information for a ShadowPad sample that reveals command and control (C2) details, the process injection target, and persistence via creation of a service and a registry Run key.

Figure 1. ShadowPad sample configuration information. (Source: Secureworks)

As part of the execution chain, ShadowPad copies the legitimate binary and sideloaded DLL to a subdirectory specific to each sample. Most analyzed samples were copied to a subdirectory under C:ProgramData, C:Users<username>Roaming, or C:Program Files. In three-file execution chains, the third file (e.g., log.dll.dat, iviewers.dll.dat) is typically deleted and the ShadowPad DLL loader is padded to over 50MB, likely to evade antivirus software. As part of this process, an encrypted payload is usually saved to a registry key under HKLMSOFTWAREClassesCLSID{GUID}<eight-character hexadecimal string> (see Figure 2).

Figure 2. Sample ShadowPad encrypted payload location. (Source: Secureworks)

After the initial setup the legitimate executable is launched as a Windows service. This service initiates the ShadowPad execution chain. The ShadowPad payload is injected into a child process of the service process that is specified in the ShadowPad configuration information. Figure 3 shows the timeline of a ShadowPad execution chain (i.e., log.exe -> log.dll -> log.dll.dat), followed by the service creation and execution of the copied files (log.exe renamed to reg.exe), and the payload injection.

Figure 3. Observed timeline of ShadowPad execution, service creation, and payload injection on a compromised network. (Source: Secureworks)

CTU researchers observed threat actors interacting with ShadowPad malware on compromised hosts. In one incident, multiple cmd.exe child processes were launched via hands-on-keyboard activity (see Figure 4).

Figure 4. Threat actor interaction with ShadowPad malware. (Source: Secureworks)

Identifying characteristics

The following file structures and behaviors can indicate a ShadowPad compromise:

• A subdirectory within C:ProgramData, C:Users<username>Roaming, or C:Program Files that contains a legitimate executable (likely renamed) and one of the known ShadowPad DLL loader filenames from Table 1 (see Figure 5)

  
  Figure 5. Example legitimate executable and ShadowPad DLL loader in C:ProgramData subdirectory. (Source: Secureworks)

• A Windows service that launches the legitimate executable from that subdirectory (see Figure 6)

  
  Figure 6. Example of installed Windows service for ShadowPad persistence. (Source: Secureworks)

• Process telemetry showing the Windows service creating an unusual child process (e.g., svchost.exe), which in turn creates multiple dllhost.exe and cmd.exe child processes

The BRONZE ATLAS/Chengdu 404 nexus

ShadowPad gained notoriety in 2017 after it was deployed in software supply chain attacks involving CCleaner, NetSarang, and ASUS Live Update utility. These campaigns were attributed to the BRONZE ATLAS threat group.

A 2017 Microsoft complaint and U.S. Department of Justice (DOJ) indictments unsealed in 2020 provide additional information on ShadowPad’s connection to BRONZE ATLAS. The Microsoft complaint alleges that BRONZE ATLAS (also known as Barium) deployed ShadowPad in 2017 to steal intellectual property and personally identifiable information (PII). At the time, the malware was used only by BRONZE ATLAS. The DOJ indictments allege that Chinese nationals working for the Chengdu 404 network security company deployed ShadowPad in a global campaign attributed to BRONZE ATLAS.

A related DOJ indictment revealed that these Chinese nationals collaborated with another Chinese national known by the handle ‘Rose’ (sometimes known as Withered Rose and Wicked Rose), using similar tactics, techniques, and procedures (TTPs) and sharing malware. The indictment describes this individual as a sophisticated threat actor who committed computer intrusion offenses targeting high-technology organizations globally. Campaigns linked to Rose were tracked as Barium.

A third-party report claimed that Rose likely co-developed malware with an associate named ‘whg,’ who has been linked to the development of the PlugX malware. PlugX is used by multiple Chinese threat groups. Third-party researchers also identified string and code overlap between PlugX and ShadowPad. This overlap suggests close links between the ShadowPad and PlugX developers. ShadowPad may have been developed by an individual or group affiliated with BRONZE ATLAS. One possibility is that Chengdu 404 originally developed ShadowPad, as the individuals named in the DOJ indictments were allegedly involved with developing malware used in their campaigns.

It is likely that only BRONZE ATLAS used ShadowPad until approximately 2019. Most of the ShadowPad DLL loader samples can be clustered based on compile timestamps, C2 infrastructure, payload versions, DLL loader code overlap, and likely victimology. CTU researchers identified multiple ShadowPad clusters used in campaigns since 2019 and attributed these clusters to distinct threat groups. These groups include BRONZE ATLAS and BRONZE UNIVERSITY, whose targeting suggests affiliation with the MSS. A third-party report suggests that BRONZE UNIVERSITY (referred to in the report as Earth Lusca) may be operating near to Chengdu in China after operational security mistakes revealed China-based infrastructure. Other ShadowPad clusters appear to reflect targeting aligned with PLA theater command areas of responsibility.

PLA reforms

In late 2015, PRC leader Xi Jinping announced widespread reforms to the PLA that included the establishment of the Strategic Support Force (PLASSF or SSF). This new branch focuses on modernizing the PLA’s capabilities in strategic frontiers of space, cyberspace, and the electromagnetic domain. The impact on the PLA’s cyberespionage mission has been extensive. Many organizations responsible for cyberespionage and signals intelligence (SIGINT) associated with the Third Department of the PLA’s General Staff Department (commonly known as 3PLA) have been absorbed into the SSF Network Systems Department (NSD). The SSF NSD is also believed to be responsible for a broad range of information warfare capabilities beyond cyberespionage, coordinating electronic countermeasures as well as offensive and defensive cyber projects. Figure 7 shows the likely SSF organizational structure.

Figure 7. PLA SSF likely organizational structure. (Source: Institute for National Strategic Studies)

As part of the modernization, the PLA replaced its seven military regions with five theater commands: Eastern, Southern, Western, Northern, and Central (see Figure 8). These theater commands orchestrate ground, naval, air, and conventional missile forces for military operations in their geographic area of responsibility. While the exact area of responsibility for each theater command is ambiguous, they are broadly responsible for specific threats within their respective regions:

• Eastern Theater Command: Taiwan strait and East China sea
• Southern Theater Command: South China sea
• Northern Theater Command: Russia and the Korean peninsula
• Western Theater Command: Central Asia and the Sino-Indian border
• Central Theater Command: defends the capital and possibly provides support to other theater commands

Figure 8. PLA theater command structure. (Source: The Jamestown Foundation)

Prior to the PLA reforms, each military region maintained at least one Technical Reconnaissance Bureau (TRB) to handle SIGINT and cyberespionage activities focused on the military region’s area of responsibility. The TRBs were distinct from the former 3PLA units that were located across China, but they may have been tasked by the 3PLA.

The relationship between the TRBs and the theater commands is unclear. The TRBs may have been consolidated under the SSF NSD alongside former 3PLA units. It is also possible that they continue to target countries in their area of responsibility but under the command and control of the SSF NSD.

Connections to PLA-linked threat groups

CTU researchers grouped distinct ShadowPad activity clusters by targeted geographic regions. Clusters align with the documented area of responsibility for three of the theater commands: Northern, Southern, and Western. CTU researchers attribute some of the ShadowPad activity to Chinese threat groups that have been publicly linked to specific PLA units located in the corresponding theater commands:

• Northern Theater Command: CTU researchers linked ShadowPad activity to BRONZE HUNTLEY and BRONZE BUTLER, which are reportedly located in the Northern Theater Command. These threat groups deployed ShadowPad against targets in South Korea, Russia, Japan, and Mongolia. These regions align with the Northern Theater Command’s focus. In 2021, CTU researchers observed malware and infrastructure overlap between the two threat groups, suggesting close collaboration.
• Western Theater Command: Some ShadowPad activity primarily targeted countries neighboring China’s western border, such as India and Afghanistan. CTU researchers clustered this activity based on attacker-controlled infrastructure, ShadowPad DLL loader variants such as ICEKILLER, and contextual information from third-party sources. Third-party researchers linked some of these campaigns to an individual working on behalf of the Western Theater Command. CTU analysis did not reveal sufficient evidence to corroborate these claims, but the locations and victimology are consistent with threat actors operating on behalf of the Western Theater Command.
• Southern Theater Command: CTU researchers identified activity that used a specific ShadowPad version to target organizations in the South China Sea region. BRONZE GENEVA is likely responsible for part of this activity based on overlap between the C2 infrastructure for the Nebulae malware family associated with BRONZE GENEVA and a ShadowPad sample analyzed by CTU researchers.

This attribution of ShadowPad campaigns to theater commands is based on the submitter’s location for ShadowPad malware samples uploaded to the VirusTotal analysis service (potentially indicating the victim’s country), the C2 domain names that appear to reference specific regions (e.g., cloudvn. info suggests Vietnam targeting), contextual information regarding the activity and victimology, and the absence of evidence that ShadowPad samples with the same attributes were deployed in other regions.

Conclusion

Evidence available as of this publication suggests that ShadowPad has been deployed by MSS-affiliated threat groups, as well as PLA-affiliated threat groups that operate on behalf of the regional theater commands. The malware was likely developed by threat actors affiliated with BRONZE ATLAS and then shared with MSS and PLA threat groups around 2019. Given the range of groups leveraging ShadowPad, all organizations that are likely targets for Chinese threat groups should monitor for TTPs associated with this malware. Organizations with operations in or connections to geographic regions covered by the regional theater commands should specifically monitor for known TTPs associated with threat groups likely affiliated with the relevant theater command.

Threat indicators

The threat indicators in Table 2 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The IP addresses and domains may contain malicious content, so consider the risks before opening them in a browser.

Table 2. Indicators for this threat.

References

Threat Intelligence Team. “New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities.” Avast. March 8, 2018. https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

Dr Web. “Study of the ShadowPad APT backdoor and its relation to PlugX.” October 26, 2020. https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf

Fraser, Nalani and Vanderlee, Kelli. “Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Mission Levels.” FireEye. October 10, 2019. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

Headquarters, Department of the Army (U.S.). “Chinese Tactics.” August 9, 2021. https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN33195-ATP_7-100.3-000-WEB-1.pdf

Hsieh, Yi-Jhen and Chen, Joey. “ShadowPad: A Masterpiece of Privately Sold Malware in Chinese Espionage.” Sentinel Labs. August 19, 2020. https://assets.sentinelone.com/c/Shadowpad?x=P42eqA

Insikt Group. “Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries.” Recorded Future. June 16, 2021. https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/

Kaspersky. “ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World.” August 15, 2017. https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world

Ni, Adam and Gill, Bates. “The People’s Liberation Army Strategic Support Force: Update 2019.” The Jamestown Foundation. May 29, 2019. https://jamestown.org/program/the-peoples-liberation-army-strategic-support-force-update-2019

Prescott, Adam. “Chasing Shadows: A deep dive into the latest obfuscation method being used by ShadowPad.” PwC. December 8, 2021. https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html

Recorded Future. “Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries.” June 16, 2021. https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf

Stokes, Mark A.; Lin Jenny; and Hsiao, L.C. Russell. “The Chinese People’s Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure.” Project 2049 Institute. November 11, 2011. https://project2049.net/wp-content/uploads/2018/05/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf

United States Department of Justice. “Seven International Cyber Defendants, Including ‘Apt41’ Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally.” September 16, 2020. https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer

United States District Court for the District of Columbia. “United States of America v. Zhang Haoran, Tan Dailin, Defendants.” May 7, 2019. https://www.justice.gov/opa/press-release/file/1317216/download

United States District Court for the Eastern District of Virginia. “Civil Action No: 1:17-cv-01224.” October 26, 2017. https://www.noticeofpleadings.net/barium/files/COMPLAINT_AND_SUMMONS/Complaint.pdf

Wuthnow, Joel and Saunders, Phillip C. “Chinese Military Reforms in the Age of Xi Jinping: Drivers, Challenges, and Implications.” Institute for National Strategic Studies. March 2017. https://ndupress.ndu.edu/Portals/68/Documents/stratperspective/china/ChinaPerspectives-10.pdf

Zetter, Kim. “Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers.” Vice. March 25, 2019. https://www.vice.com/en/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers