Insights, news, education and announcements from PolySwarm

Wicked Panda’s ShadowPad RAT

Written by PolySwarm Tech Team | Feb 28, 2022 7:31:59 PM



Background


Secureworks recently posted research analyzing Wicked Panda’s ShadowPad RAT. Secureworks stated multiple clusters of ShadowPad activity appeared to be linked to PLA theater commands.

 

Who is Wicked Panda?

Wicked Panda, also known as Axiom, Winnti, APT41, and Bronze Atlas, is a sophisticated Chinese nexus threat actor group perpetrating activity in support of or in conjunction with the Chinese Ministry of State Security (MSS) and the People's Liberation Army (PLA). Active since at least 2009, Wicked Panda’s roots seem to have emerged in cybercrime and later evolved into the group’s current form. It is unknown whether the Chinese government recruited them into the military or intelligence services or if they operate as contractors.

Their activity has ranged from criminal, financially motivated attacks to stealthy espionage campaigns in support of Chinese military intelligence collection requirements. Wicked Panda has been known to attack a wide range of targets including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments. The group has targeted a broad range of entities across the APAC, AMEA, and AMERICAS regions.

 

Wicked Panda is known for having skilled programmers capable of developing sophisticated tools. The group uses a variety of TTPs including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad. The group is also known to steal software signing certificates to use in their campaigns. Wicked Panda has used ShadowPad malware since at least 2017.

In 2020, several threat actors affiliated with Wicked Panda were charged with computer intrusion campaigns against more than 100 victims worldwide.

What is ShadowPad?

ShadowPad is a sophisticated modular remote access trojan (RAT). Though originally developed by Wicked Panda threat actors, ShadowPad is currently used by multiple Chinese state-sponsored threat actor groups.

Most of the ShadowPad samples Secureworks analyzed were two-file execution chains, with an encrypted payload embedded in a DLL loader. These DLL loaders are sideloaded by a legitimate executable that is vulnerable to DLL search order hijacking. The DLL loader decrypts and executes the ShadowPad payload in memory using a custom algorithm. The decryption algorithm used is custom per malware version.
Secureworks also analyzed several samples using a third file containing the encrypted ShadowPad payload. In these samples, a legitimate executable is executed, the ShadowPad DLL loader is sideloaded, then the third file is loaded and decrypted.

Legitimate executables used to sideload ShadowPad include AppLaunch.exe (Microsoft), hpqhvind.exe (Hewlett Packard), consent.exe (Microsoft), TosBtKbd.exe (Toshiba), BDReinit.exe (BitDefender), and Oleview.exe (Microsoft).

ShadowPad is capable of gathering host information, executing commands, interacting with the file system and registry, and deploying new modules. It is also used to maintain persistence in a victim system.

IOCs

PolySwarm has multiple samples associated with ShadowPad RAT and Wicked Panda activity.

Hashes

9d686ceed21877821ab6170a348cc073

27d889c351ac2f48d31b91d06061ec8d

F5b7ea5e705655a1bc08030b601443088a5af4dd

17e812958704f4ced297731ce47de020

Fac0b4fe5372d76607c36ccb51e6b7bb

27d889c351ac2f48d31b91d06061ec8d

41ff21ea773b73812d91f91b68280ed3

1480d2856e4d57d0c8394ade835493db

40e7f1a18735819d6cf5f5cff0fb72f4

59961f8c3d8d6cfb7a378f58ff5c5f30

27d889c351ac2f48d31b91d06061ec8d

dfd3b637fc35e850138b33758934f3f7

0ddd78208c16e9f8174868bdf92eac9b

F977be4ebb0d06c9a19b37d8bbb37178

B40dec21d0c3061bef422bb946366cba

3520e591065d3174999cc254e6f3dbf5

C3292a51c1b92d7dd08518095bb851f8

3e372906248b215ea0ee853cb4e29dd8

Ffbadead054d1eac270f1a24d02e8a1f

06539163f71f8bd496db75ccb41db820

373eacf3ffd1b5722f9d3c1595092b4c

Ea6be331b5fa349a2fa464b062043b0e

5fe99a8f8cbfe46832478aa9c9634ed6

 


Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports