Secureworks recently posted research analyzing Wicked Panda’s ShadowPad RAT. Secureworks stated multiple clusters of ShadowPad activity appeared to be linked to PLA theater commands.
Who is Wicked Panda?
Wicked Panda, also known as Axiom, Winnti, APT41, and Bronze Atlas, is a sophisticated Chinese nexus threat actor group perpetrating activity in support of or in conjunction with the Chinese Ministry of State Security (MSS) and the People's Liberation Army (PLA). Active since at least 2009, Wicked Panda’s roots seem to have emerged in cybercrime and later evolved into the group’s current form. It is unknown whether the Chinese government recruited them into the military or intelligence services or if they operate as contractors.
Their activity has ranged from criminal, financially motivated attacks to stealthy espionage campaigns in support of Chinese military intelligence collection requirements. Wicked Panda has been known to attack a wide range of targets including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments. The group has targeted a broad range of entities across the APAC, AMEA, and AMERICAS regions.
Wicked Panda is known for having skilled programmers capable of developing sophisticated tools. The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad. The group is also known to steal software signing certificates to use in their campaigns. Wicked Panda has used ShadowPad malware since at least 2017.
In 2020, several threat actors affiliated with Wicked Panda were charged with computer intrusion campaigns against more than 100 victims worldwide.
What is ShadowPad?
ShadowPad is a sophisticated modular remote access trojan (RAT). Though originally developed by Wicked Panda threat actors, ShadowPad is currently used by multiple Chinese state-sponsored threat actor groups.
Most of the ShadowPad samples Secureworks analyzed were two-file execution chains, with an encrypted payload embedded in a DLL loader. These DLL loaders are sideloaded by a legitimate executable that is vulnerable to DLL search order hijacking. The DLL loader decrypts and executes the ShadowPad payload in memory using a custom algorithm. The decryption algorithm used is custom per malware version.
Secureworks also analyzed several samples using a third file containing the encrypted ShadowPad payload. In these samples, a legitimate executable is executed, the ShadowPad DLL loader is sideloaded, then the third file is loaded and decrypted.
Legitimate executables used to sideload ShadowPad include AppLaunch.exe (Microsoft), hpqhvind.exe (Hewlett Packard), consent.exe (Microsoft), TosBtKbd.exe (Toshiba), BDReinit.exe (BitDefender), and Oleview.exe (Microsoft).
ShadowPad is capable of gathering host information, executing commands, interacting with the file system and registry, and deploying new modules. It is also used to maintain persistence in a victim system.
PolySwarm has multiple samples associated with ShadowPad RAT and Wicked Panda activity.