ShadowPad has become the RAT of choice for several state-sponsored Chinese APTs

The ShadowPad malware came into the spotlight in 2017 when it was used in two software supply-chain attacks by a suspected Chinese state-sponsored hacker group. Since then it has become the tool of choice for several cyber espionage groups that are believed to be associated with China's Ministry of State Security (MSS) and the People's Liberation Army (PLA).

"The malware was likely developed by threat actors affiliated with Bronze Atlas and then shared with MSS and PLA threat groups around 2019," researchers from security firm Secureworks said in a new report. "Given the range of groups leveraging ShadowPad, all organisations that are likely targets for Chinese threat groups should monitor for TTPs associated with this malware."

Who is Bronze Atlas?

Bronze Atlas is the alias used by Secureworks for a Chinese cyber espionage group that has been active since at least 2007. This group is known under different names in the security industry: APT41, Axiom, Barium, Wicked Panda and sometimes Winnti, after a Trojan program that has long been in the group's arsenal.

APT41 has targeted a large variety of organisations during its 15-year history. Some of the targeting seemed to match China's geopolitical interests, while others seemed more like cybercrime attacks meant to steal money. This has prompted speculation that either APT41 is an external contractor that the Chinese agencies rely on for some operations, or that multiple smaller groups under the same umbrella are tasked with different goals.

Some of those assumptions were partly validated in September 2020, when the U.S. Department of Justice unsealed indictments against three Chinese and two Malaysian nationals in connection with APT41 attacks. Three of them were involved in the management of a company called Chengdu 404 Network Technology that was allegedly serving as a front company for the group's activities.

Another Chinese hacker named Tan Dailin, who was indicted in 2019 and is on the FBI's wanted list, is also believed to have worked with APT41, targeting high-tech and online gaming companies in attacks that were attributed to a cluster of APT41 activity tracked as Barium by security companies. 

These include the software supply chain attacks against NetSarang, CCleaner and ASUS LiveUpdate. Dailin, known online as Withered Rose, was named in past reports as a malware developer who collaborated with another hacker known as whg, who is believed one of the authors behind the PlugX Trojan.

PlugX dates back to 2008 and over the years has been one of the remote access trojans (RATs) most commonly used by Chinese hacker groups, including by APT41. According to Secureworks and other malware researchers, there is some code overlap between ShadowPad and PlugX, suggesting a possible collaboration between their creators.

What is ShadowPad?

Like PlugX, ShadowPad is a RAT that's used to maintain persistent access to compromised computers and allows hackers to execute shell commands and additional payloads. The Secureworks researchers have observed attacks where the ShadowPad process on an infected system was used to spawn multiple cmd.exe child processes, suggesting that hackers were manually interacting with the system.

ShadowPad is deployed through a technique known as DLL side-loading, where attackers deliver their malicious code as a DLL that has the same name as one of the libraries that a legitimate application searches for to load. This is possible with applications that don't perform additional checks on the DLL file, like digital signature, to ensure it hasn't been tampered.

The Secureworks researchers have seen ShadowPad being side-loaded by leveraging the legitimate executables AppLaunch.exe (Microsoft), hpqhvind.exe (Hewlett Packard), consent.exe (Microsoft), TosBtKbd.exe (Toshiba), BDReinit.exe (BitDefender) and Oleview.exe (Microsoft). Using this technique allows attackers to potentially evade detection because their malware is loaded into the memory of a process spawned by a legitimate application.

In some attacks, the rogue DLL planted by the attackers included the encrypted malicious ShadowPad payload that was then decrypted and executed in memory. In other attacks the payload was delivered a separate encrypted file that the DLL loaded as part of its routine. This keeps the rogue DLL slimmer and without encrypted code inside that would potentially trigger detection rules.

A typical ShadowPad deployment will create a new directory under C:\ProgramData, C:\Users\<username>\Roaming or C:\Program Files that will contain the legitimate executable being abused, the lightweight DLL loader and the encrypted ShadowPad payload file. 

After first execution, the payload file is deleted and its contents are moved to the system registry. A Windows service is then created to execute the whole ShadowPad infection chain on system restart.

The different APTs using ShadowPad

While ShadowPad seemed to be exclusively used by Bronze Atlas early on, in 2019 it started appearing in attack campaigns against transportation, natural resource, energy and non-governmental organisations that Secureworks attributes to a different group called Bronze University. 

The company suspects both Atlas and University have links to China's MSS based on the victim typology and the type of information targeted. Bronze University's campaigns overlap with the activity described by Trend Micro in a report covering a group the company dubbed Earth Lusca.

Attack campaigns using ShadowPad observed in 2021 targeted organisations in South Korea, Russia, Japan, and Mongolia. These were attributed by Secureworks to two groups dubbed Bronze Huntley (a.k.a. Karma Panda and Team Tonto) and Bronze Butler (a.k.a. Tick) that the company believes are associated with China's PLA, namely its Northern Theater Command.

Since 2015, the PLA has been reformed and its seven military regions have been replaced with five theatre commands -- Eastern, Southern, Northern, Western and Central -- each responsible for handling specific threats in their particular regions and borders. 

According to Secureworks, this modernisation included the establishment of the PLA Strategic Support Force (PLASSF or SSF), which focuses on modernising the PLA's capabilities in the areas of space, cyber space and the electromagnetic domain. 

The signals intelligence (SIGINT) capabilities previously associated with the Third Department of the PLA's General Staff (3PLA), which has been named as responsible for some of China's cyber espionage activities in the past, have now likely been brought under PLASSF and support the different theatre commands.

Secureworks observed clusters of ShadowPad activity that shared DLL variants and infrastructure in campaigns against targets in India and Afghanistan.

"Third-party researchers linked some of these campaigns to an individual working on behalf of the Western Theater Command," the Secureworks CTU researchers said. "CTU analysis did not reveal sufficient evidence to corroborate these claims, but the locations and victimology are consistent with threat actors operating on behalf of the Western Theater Command."

Finally, a separate ShadowPad version was observed targeting organisations in the South China Sea. There is overlap between the command-and-control infrastructure used in this campaign and that used by the Nebulae malware family that's attributed to a Chinese APT group that Secureworks tracks as Bronze Geneva but is also known as APT30. This group is believed to match the targeting interests of the PLA's Southern Theater Command.

The Secureworks report includes indicators of compromise associated with all the ShadowPad versions, infrastructure and campaigns the company has tracked. Organisations can use them to build detection rules for their own environments.