Updated Shadowpad Malware Leads to Ransomware Deployment

Impacket

Impacket is a collection of Python classes for working with network protocols. We noticed the usage of WmiExec from the Impacket toolkit to connect to remote hosts.

Dumping Active Directory databases

While we have no evidence of which tool was used (probably NTDSUtil), the threat actor created files named aaaa.dit likely containing the Active Directory database content that could then be used for offline password cracking.

We have only one domain name that has been used by Shadowpad as a C&C server in both incident response investigations we conducted. For all other Shadowpad loaders we found, we were unable to retrieve the related encoded payload and, consequently, the associated C&C information.

This domain is updata.dsqurey[.]com. By pivoting on the infrastructure, we were able to identify further IP addresses. We found 3 additional domain names, up to 10 if we count the subdomains.

Some of these domain names were linked to other Shadowpad samples, and to a blogpost that mentioned similar TTPs to what we observed, enforcing our belief they are linked to this threat actor.

Those domains are listed in the IOC section.

Attribution

We did not find evidence strong enough to link this activity to older operations or to a known threat actor. We found two low confidence links pointing towards the Teleboyi threat actor, which we will explain below.

PlugX code overlap

PlugX is a malware family existing since at least 2008, used in multiple targeted attacks usually by Chinese threat actors, although over time its usage expanded to wider type of attacks. It is believed that Shadowpad is the successor of PlugX.

We found in Virus Total a PlugX sample connecting to the bcs[.]dsqurey[.]com domain name. One of the Shadowpad’s samples linked to this case connected to updata[.]dsqurey[.]com.

The PlugX sample uses a custom algorithm for string decryption.

In their JSAC presentation (slide 27), TeamT5 describe TeleBoyi custom PlugX loader as using a similar algorithm for decryption of strings. TeamT5 also lists “Operation Harvest” as being related to Teleboyi. The McUtil.dll PlugX loader (SHA-256: f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498) listed in Operation Harvest blogpost displays a similar string decryption algorithm. Another similarity is the PE icon of the PlugX sample, which is part of the icons listed by TeamT5. Based on all these findings, we assess with high confidence that this PlugX sample belongs to Teleboyi.

However, we found out that the dsqurey[.]com domain name was initially registered on 2018-03-27, expired in late March 2022, and was registered again on 2022-06-23. We don’t know if the same threat actor got his domain back, or if it was registered by a different threat actor. We consider this link to Teleboyi as weak.

Infrastructure overlap

In January 2024, 108.61.163[.]91 resolved to dscriy.chtq[.]net, a domain we link to this threat actor.

In May 2022, it resolved to sery.brushupdata[.]com, a domain name listed in Operation Harvest.

We consider this link to Teleboyi weak since there is one year and a half between both resolutions.

Acknowledgments

Thanks to our European incident response and APT-OPS teams as well as Fernando Mercês for their help in this investigation.

Thanks to the Orange Cyberdefense CERT for their information on the ransomware family.

Trend Vision One™

Trend Vision One™ is an enterprise cybersecurity platform that simplifies security and helps enterprises detect and stop threats faster by consolidating multiple security capabilities, enabling greater command of the enterprise’s attack surface, and providing complete visibility into its cyber risk posture. The cloud-based platform leverages AI and threat intelligence from 250 million sensors and 16 threat research centers around the globe to provide comprehensive risk insights, earlier threat detection, and automated risk and threat response options in a single solution.

Trend Vision One Threat Intelligence

To stay ahead of evolving threats, Trend Vision One  customers can access a range of Intelligence Reports and Threat Insights within Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats.

Trend Vision One Search App

Trend Vision One Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.   

Monitor for connections to Shadowpad C&C domains

eventSubId:(203 OR 204 OR 301 OR 602 OR 603) AND (\”updata.dsqurey.com\”)

More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled.

Indicators Of Compromise

The indicators of compromise for this entry can be found here.

Read More HERE