Researchers stated that they had linked the ShadowPad backdoor malware with the People’s Liberation Army (PLA) and the Chinese Ministry of State Security (MSS), revealing the inner transactions of ShadowPad in a detailed report.
ShadowPad, utilised by China-based threat groups since 2019, is an advanced remote access trojan decrypted in memory using a custom decryption algorithm.
The detailed report revealed that the ShadowPad could exfiltrate critical system information, interact with the file registry and system, and launch new modules to propagate and expand their attack surface. Its payloads are deployed to a host within a separate file accompanied by a DLL loader or encrypted inside a DLL loader.
Researchers believe that the connection of ShadowPad to China’s PLA has originated from the evidence that suggests that it was deployed on behalf of the multiple regional theatre commands in China.
The researchers grouped different ShadowPad activity clusters within three out of five regional theater commands in China: the Northern, Southern, and Western.
The Northern Theater Command launched ShadowPad against targets in Russia, Mongolia, South Korea, and Japan. The Southern Theater Command targeted firms in the South China Sea regions such as the Philippines, Indonesia, and Taiwan.
Western Theater Command targeted the nations closed to China’s western border, such as Afghanistan and India. On the other hand, ShadowPad’s Chinese MSS connection could have started with an affiliation with the Bronze Atlas group’s malware. The Department of Justice indictments have established linkage between Bronze Atlas and Chengdu 404 security organisations, which had Chinese officials working with them.
Researchers also identified string and code overlap between ShadowPad and PlugX, a massively distributed malware by malicious threat actors in China.
State-sponsored threat groups pose a significant challenge to security experts since they have sustainable resources to target any desired organisation. Using the same backdoor in several threat groups implies that a collaboration between malware developers and the host country occurs today.
To remain protected, organisations should monitor the tricks, techniques, and procedures of the ShadowPad malware.