ShadowPad, a broad and modular backdoor used by various Chinese threat groups in recent years, has been revealed by cybersecurity experts. They have also linked him to the country’s civil and military intelligence services. This flexible malware platform has overlapping features with PlugX malware. It has also been used in high-profile cyberattacks on CCleaner, NetSarang, and ASUS, forcing operators to change strategy and improve their defensive measures.
While ShadowPad was first provided by operations linked to a threat group known as Bronze Atlas, also known as Bario (Chinese nationals working for Chengdu 404, a network security company), it has since been used by other gangs. of Chinese threats after 2019. SentinelOne, a cybersecurity company.
Traditional malware payloads are either encrypted within a DLL loader or embedded in a separate file with a DLL loader, which then decrypts and executes the embedded ShadowPad payload in memory using a specific decryption technique suitable for the attack. malware version. After being downloaded by a genuine executable vulnerable to DLL search order hijacking, which is a technique that allows malware to execute by hijacking the mechanism used to look for the DLLs needed to load into a program, these DLL loaders they run the malware.
ShadowPad is an example of how dangerous and extensive a successful supply chain attack can be. With the range and data collection opportunities it gives attackers, it will most likely be reproduced over and over again with some other widely used software component. Large enterprises must rely on advanced solutions capable of monitoring network activity and detecting anomalies. This is where you can detect malicious activity, even if attackers are advanced enough to hide their malware within legitimate software.
