admin As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as just lately as October 16, 2022.
That is in accordance with VMware’s Risk Evaluation Unit (TAU), which studied three ShadowPad variants utilizing TCP, UDP, and HTTP(S) protocols for C2 communications.
ShadowPad, seen as a successor to PlugX, is a modular malware platform privately shared amongst a number of Chinese language state-sponsored actors since 2015.
Taiwanese cybersecurity agency TeamT5, earlier this Could, disclosed particulars of one other China-nexus modular implant named Pangolin8RAT, which is believed to be the successor of the PlugX and ShadowPad malware households, linking it to a risk group dubbed Tianwu.
An evaluation of the three ShadowPad artifacts, which have been beforehand put to make use of by Winnti, Tonto Team, and an rising risk cluster codenamed Space Pirates, made it potential to find the C2 servers by scanning the checklist of open hosts generated by a instrument referred to as ZMap, VMware stated.
The corporate additional disclosed it recognized Spyder and ReverseWindow malware samples speaking with ShadowPad C2 IP addresses, each of that are malicious tools put to make use of by APT41 (aka Winnti) and LuoYu.
Moreover, overlaps have been noticed between the aforementioned Spyder pattern and a Employee element of the risk actor’s Winnti 4.0 trojan.
“Scanning APT malware C2s on the Web is typically like discovering a needle in a haystack,” Takahiro Haruyama, senior risk researcher at VMware TAU, stated. “Nonetheless, as soon as the C2 scanning works, it may possibly turn out to be a sport changer as some of the proactive risk detection approaches.”
