Cybersecurity research revealed information about the C2 server infrastructure backed by the ShadowPad malware for its attacks. This malware is a notorious entity that succeeds the PlugX malware strain.
According to the investigation, there are three ShadowPad strains called Variant1, Variant2, and Variant3. The first variant was named ScatterBee, collected and examined by researchers last year.
From September 2021 to September this year, 83 confirmed ShadowPad C2 servers with 75 unique IPs were identified by researchers on the internet. Variant1 was the most active among the three identified infrastructures, responsible for 48% of ShadowPad cases. Variant3 followed by garnering 42% of patients, and Variant2 was the most miniature case with 10% of the attacks.
However, the number of active C2 servers from last year has drastically declined compared to this year.
The ShadowPad malware heavily supports six C2 protocols.
Cybersecurity experts claimed that the ShadowPad malware supports six C2 protocols, including SSL, HTTP, TCP, UDP, DNS, and HTTPS. Three of these protocols (UDP, HTTPS, TCP) are heavily used by ShadowPad operators in their recent attacks.
Depending on the protocols, the immediate encryption key values are utilised by the actors in the encoding algorithms for each variant. Hence, identifying a new variant becomes challenging when the group makes any modification.
Researchers studied the three ShadowPad strains to discover the C2 servers by reviewing the list of open hosts created by a tool dubbed ZMap.
Furthermore, these ShadowPad variants have been adopted by other well-known threat groups, such as the Tonto Team, Winnti, and Space Pirates. ReverseWindow and Spyder have also been communicating with ShadowPad’s C2 IP addresses.
After the discovery, analysts concluded that there are overlaps between the Spyder sample and a Worker component of Winnti’s latest trojan variant.
As of now, several China-backed actors have accessed and distributed the ShadowPad infrastructure, which showed its connections with other malware. Researchers believe that the ShadowPad malware will expand further. Organisations should monitor TTPs that threat actors could use in association with the ShadowPad malware infrastructure.
