
Attacks on industrial control systems using ShadowPad
Researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. These infected machines includes engineering hardware systems related to automation systems Infected machines includes engineering computers used in building automation systems.
Indicators of Compromise
Domains (38)
abuoluowang.comhouwags.defineyourid.sitegrandfoodtony.comstat.8788912.comhelp.ffyl-bet.comstatic.daytodayup.comwww.tiger266.comlive.musicweb.xyzhelp.mkdjgame.comyd.full-subscription.comzk.full-subscription.comstorage.ondriev.tkwww.ffyl-bet.comapi.onedriev.tkobo.videocenter.orgcdn.1685810.comcachedownload.goldenrose88.comorder.cargobussiness.sitebackup.microsupdate.comapi.gpk-demo.com+18 moreHashes (136)
0879125ed34df60a70ed5bb8d58f3a192fd75763307c5aec5603adc6d02a7c5f34d605a0989e856001b4ae2eef2b4327e5be6f621c4a10372837baf795a37b1caa942d234fb9b38e9c4b3c98b6f13c153bbe6f6aed67a11646c1b28bc856941743331acb47f1b7b4a6a19804248e9cc5d7de5aea86590c63011beaf3e9cd2896479313772cd591de1a9115b2d21384c6da3c21fcca5201a40bff46518b35ddfe37f4a7820286aab829d81f1480d9eeca5aaedc9ceda6724f413bb0864c3933009a9cc486f07070e4420fcf11240589e8d29daab08251831d1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5f284c664b4baff90444c4ed96cfcb4ef6d26cc7aedc46c1e996c359ecea95f6979c2f1eeea169f2dd196bc9a0d240d941ccb5a22a050bca856c1a03fd795ac58d5778178a1b259c3127b678a49cd23e53c4e31051dc80d87927d15d0fbed704d054b419c2cac1a08605936e016d4606978e9f8e8ab0bef7838f2a5164cf7737e4641d23463a53bcb29673d179379e1a8ff5895c69c995ac8b7f01ff85df9777595fe8b35d+116 moreIPv4 (93)
45.77.250.20923.106.123.134164.155.51.9152.32.139.12823.106.124.156149.127.176.12188.127.237.27103.138.82.20214.18.191.15038.55.223.221188.116.48.62103.56.19.42103.133.139.29120.79.8.23156.240.104.14938.54.4.48103.151.229.130173.254.227.20423.106.125.132103.133.139.23+73 moreCVEs (3)
CVE-2022-24934CVE-2022-29464CVE-2019-16098APT Groups
Earth Lusca
China
Axiom
China
Wet Panda
China
Tonto Team
China
Notes
<div style="box-sizing: border-box; margin-top: 0px; line-height: 1.2; color: rgb(57, 67, 76); margin-bottom: 0.5rem !important; padding-top: 1rem !important;">Techniques Used</div><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1079.4px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Domain</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Use</th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1071</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> communicates over HTTP to retrieve a string that is decoded into a C2 server URL.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Transfer Protocols</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has used FTP for C2 communications.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.004</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DNS</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has used DNS tunneling for C2 communications.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1132</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1132/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Encoding</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has encoded data as readable Latin characters.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1140</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has decrypted a binary blob to start execution.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1568</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1568/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.002</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1568" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic Resolution</a>: <a href="https://attack.mitre.org/techniques/T1568/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Generation Algorithms</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> uses a DGA that is based on the day of the month for C2 servers.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://content.fireeye.com/apt-41/rpt-apt41" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1070</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has deleted arbitrary Registry values.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1105</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has downloaded code from a C2 server.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1112</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> maintains a configuration block and virtual file system in the Registry.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1095</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1095" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Application Layer Protocol</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has used UDP for C2 communications.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1027</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has encrypted its payload, a virtual file system, and various files.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1057</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has collected the PID of a malicious process.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1055</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has injected an install module into a newly created process.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">.001</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has injected a DLL into svchost.exe.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1029</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Transfer</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has sent data back to C2 every 8 hours.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1082</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1016</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has collected the domain name of the victim system.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1033</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has collected the username of the victim system.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223);"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;">Enterprise</td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">T1124</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><a href="https://attack.mitre.org/software/S0596" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ShadowPad</a> has collected the current date and time of the victim system.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></p></td></tr></tbody></table>Retrieved from https://attack.mitre.org/software/S0596/<div><br><div><div>References</div><div><br></div><div>1. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.</div><div>2. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.</div><div>3. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.</div><div>4. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.</div><div>5. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.</div><div>6. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.</div></div></div>
Mitigation
<div style="box-sizing: border-box; margin-top: 0px; line-height: 1.2; color: rgb(57, 67, 76); letter-spacing: normal; margin-bottom: 0.5rem !important; padding-top: 1rem !important;">In order not to get affected by ShadowPad and related malicious software, you should</div><div style="box-sizing: border-box; margin-top: 0px; line-height: 1.2; color: rgb(57, 67, 76); letter-spacing: normal; margin-bottom: 0.5rem !important; padding-top: 1rem !important;"><ul><li>Constantly update and patch operating systems and software.</li><li>Be aware of possible phishing activities.</li><li>Educate your employees on cyber security best practices.</li><li>Monitor the system for IOCs.</li></ul><div><br></div><div>Also, to minimize the effects, you can</div><div><br></div><div><ul><li>Identify your critical digital assets and determine their impact if they were affected by a malware attack, and take precautions accordingly.</li><li>Develop an internal and external communication strategy.</li><li>Exercise your incident management plan.</li><li>Determine how you will respond to the possible ransom demand and the risk of your organization's data being published.</li></ul></div></div>