As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022.

That’s according to VMware’s Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications.

ShadowPad, seen as a successor to PlugX, is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015.

Taiwanese cybersecurity firm TeamT5, earlier this May, disclosed details of another China-nexus modular implant named Pangolin8RAT, which is believed to be the successor of the PlugX and ShadowPad malware families, linking it to a threat group dubbed Tianwu.

An analysis of the three ShadowPad artifacts, which have been previously put to use by Winnti, Tonto Team, and an emerging threat cluster codenamed Space Pirates, made it possible to discover the C2 servers by scanning the list of open hosts generated by a tool called ZMap, VMware said.

CyberSecurity

The company further disclosed it identified Spyder and ReverseWindow malware samples communicating with ShadowPad C2 IP addresses, both of which are malicious tools put to use by APT41 (aka Winnti) and LuoYu.

Additionally, overlaps have been observed between the aforementioned Spyder sample and a Worker component of the threat actor’s Winnti 4.0 trojan.

“Scanning APT malware C2s on the Internet is sometimes like finding a needle in a haystack,” Takahiro Haruyama, senior threat researcher at VMware TAU, said. “However, once the C2 scanning works, it can become a game changer as one of the most proactive threat detection approaches.”

Technology

Products You May Like

Articles You May Like

Elon Musk to Grant ‘Amnesty’ to Banned Twitter Accounts
Redmi K60 Series Key Specifications Leaked Ahead of Launch: All Details
Infinix Hot 20S With MediaTek Helio G96 SoC, Triple Rear Cameras Launched: Price, Specifications
iQoo 11 Series First Look Revealed Ahead of Launch, Confirms Presence of Vivo V2 ISP
Senior Tory joins growing rebellion trying to force PM into U-turn over onshore wind ban

Leave a Reply

Your email address will not be published.