Back to news

Study of the ShadowPad APT backdoor and its relation to PlugX

Dr.Web Link Checker is a free extension for Microsoft Edge that can instantly scan webpages and files downloaded from the Internet, and block website attempts to. Dr.Web Anti-virus Light (free) is an antivirus protection tool which will constantly protect our terminal from all kinds of more and more common (and dangerous) threats, in the area of Android terminals. The application has lots of services orientated towards one objective: to protect our terminal.

October 27, 2020

Introduction

In July 2020, we released a study of targeted attacks on state institutions in Kazakhstan and Kyrgyzstan with a detailed analysis of malware found in compromised networks. During the investigation, Doctor Web specialists analyzed and described several groups of trojan programs, including new samples of trojan families already encountered by our virus analysts, as well as previously unknown trojans. The most notable discovery was the samples of the XPath family. We were also able to find evidence that allowed us to link two initially independent incidents. In both cases, the attackers used a similar selection of malware, including the same specialized backdoors that infected domain controllers in the attacked organizations.

During the examination, analysts studied samples of PlugX multi-module backdoors used for initial penetration into the network infrastructure. The analysis showed that certain PlugX modifications used the same domain names of C&C servers, as did other backdoors related to targeted attacks on Central Asian state institutions. The detection of the PlugX programs indicates Chinese APT groups are possibly involved in these incidents.

Dr Web Webmd

According to our data, the unauthorized presence in both networks lasted for more than three years, and several hacker groups could be behind the attacks. Investigations of such complex cyber incidents involve long-term work, so they are rarely covered by a single article.

The Doctor Web virus laboratory received new samples of malware found on the infected computers in the local network of a state institution in Kyrgyzstan.

In addition to the malware described in the previous article, the ShadowPad backdoor deserves particular attention. Various modifications of this malware family are a well-known tool of the Winnti APT group, presumably of Chinese origin, active since at least 2012. It is noteworthy that the Farfli backdoor was also installed on computers along with ShadowPad, and both programs referred to the same C&C server. Additionally, we uncovered several PlugX modifications on the same computer.

In this study we analyzed the algorithms of the detected backdoors. Special attention is paid to the code similarities between the ShadowPad and PlugX samples, as well as to some intersections in their network infrastructure.

List of detected malware

The following backdoors were found on the infected computer:

For further research, we found and analyzed other samples of the ShadowPad family in order to perform a detailed examination of the similarities between the ShadowPad and PlugX backdoors:

• BackDoor.ShadowPad.3
• BackDoor.ShadowPad.4 — a modification of ShadowPad that was part of a self-extracting WinRAR dropper. It loaded an atypical for this family module in the form of a DLL library.

A thorough study of ShadowPad samples and their comparison with previously studied PlugX modifications indicates a high similarity in the operation principles and modular structures of the backdoors from both families. These malicious programs are united not only by the general concept, but also by the nuances of the code: certain development techniques, ideas, and technical solutions are nearly identical. An important point is that both backdoors were located in the compromised network of a state institution in Kyrgyzstan.

For a detailed description of the malware used and how it works, see the PDF-version of the study or the Dr.Web Virus Library.

Conclusion

The available data allow us to conclude that these families are related in terms of simple code borrowing or the development of both programs by one author or a group of authors. In the second case, it is very likely that ShadowPad is an evolution of PlugX as a newer and more advanced APT tool. The storage format of the malicious modules used in the ShadowPad makes it much more difficult to detect them in RAM.

Indicators of compromise.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Dr Webb

Other comments

Dr.Web CureIt! utility

An indispensable emergency tool for scanning PCs
and servers and ridding them of all sorts of malware
that your anti-virus failed to detect.

This version collects and sends statistics to Doctor Web

• No installation required.
• Doesn't conflict with any other anti-virus.
• Gets updated as often as once or several times per hour.

Dr.Web CureIt! licenses

For home, office, or curing other users' computers without the option to
send statistics to Doctor Web

Dr Web Antivirus

From 17.20 €/year

Dr.Web Security Space

Dr Weber Dentist

Comprehensive protection for Windows 10-XP

From 33.90 €/year

Do you need help from a specialist?

• Qualified assistance or consultations from a specialist certified in the administration of Dr.Web for Windows
• The ability to quickly purchase a Dr.Web license at a special price and get help installing it
• Computer malware-removal services performed by the Dr.Web anti-virus

Profit with us!

If you are in the computer repair business, or if your business is IT-related and your customers need reliable anti-virus protection, we invite you to.