Security researchers have uncovered a significant evolution in the ShadowPad malware family, which is now being used to deploy ransomware in highly targeted attacks.
ShadowPad, modular malware linked to Chinese threat actors, has historically been associated with cyber espionage.
However, recent incidents reveal its expanded capabilities, marking an alarming shift toward ransomware deployment.
Incident Analysis and Infection Vectors
Two recent cases in Europe highlight the use of ShadowPad as a delivery mechanism for a previously unreported ransomware family.
The attackers gained access to victims’ networks through remote attacks exploiting weak passwords and bypassing multi-factor authentication (MFA).
In one instance, MFA was circumvented via an unknown method, potentially involving stolen certificates.
Once inside the network, the attackers leveraged administrative privileges to deploy ShadowPad on critical systems like domain controllers.
The ransomware component encrypts files using a combination of AES and RSA algorithms, appending a “.locked” extension to affected files.
Interestingly, the ransom notes mimic the structure of known ransomware documentation, possibly to mislead analysts.
Despite these efforts, no ransom payments have been observed, suggesting limited financial success for the attackers so far.
Broad Targeting Across Industries
Over the past seven months, at least 21 organizations across 15 countries have been targeted using ShadowPad.
The manufacturing sector has been disproportionately affected, accounting for more than half of the incidents.
Other impacted industries include transportation, publishing, energy, and banking.
The geographic scope spans Europe, Asia, the Middle East, and South America, underscoring the global reach of this campaign.
The latest version of ShadowPad includes several updates aimed at evading detection and complicating analysis:
- Obfuscation: Enhanced code obfuscation techniques make reverse engineering more challenging.
- Anti-Debugging Measures: The malware employs multiple checks to detect debugging environments and terminates itself if any are detected.
- DNS Over HTTPS (DoH): This feature conceals command-and-control (C&C) communications by encrypting DNS queries.
- Registry Encryption: Payloads are encrypted using machine-specific keys derived from volume serial numbers, further hindering forensic analysis.
According to Trend Micro, these advancements reflect ongoing development efforts by its creators to maintain ShadowPad’s effectiveness against evolving cybersecurity defenses.
While ShadowPad has been linked to Chinese advanced persistent threat (APT) groups such as APT41 in the past, researchers have not definitively attributed these recent ransomware deployments to a specific actor.
Weak links to other Chinese threat actors like TeleBoyi have been noted but remain inconclusive.
The dual use of ShadowPad for espionage and ransomware highlights its versatility and raises concerns about its potential misuse in future campaigns.
Organizations in critical industries are advised to strengthen their cybersecurity posture by implementing robust password policies, enforcing multi-factor authentication, and monitoring for indicators of compromise associated with ShadowPad activity.
This development underscores the growing convergence of nation-state tactics with financially motivated cybercrime, signaling an increasingly complex threat landscape for global enterprises.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here