Researchers Expose Over 80 ShadowPad Malware C2 Servers

Researchers Expose Over 80 ShadowPad Malware C2 Servers

Since September 2021, infrastructure supporting the ShadowPad malware has been detected as recently as October 16, 2022. This includes as many as 85 command-and-control (C2) servers.

According to research conducted by VMware’s Threat Analysis Unit (TAU), which analyzed three different ShadowPad variants, C2 communications were conducted over TCP, UDP, and HTTP(S).

ALSO, READ Researchers Uncover Stealthy Techniques Used By Cranefly Espionage Hackers

ShadowPad is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015. It is widely regarded as PlugX’s successor.

In May, the Taiwanese cybersecurity firm TeamT5 revealed details about another China-nexus modular implant called Pangolin8RAT, which is thought to be the successor of the PlugX and ShadowPad malware families and is linked to a threat group dubbed Tianwu.

Researchers Expose Over 80 ShadowPad Malware C2 Servers

According to VMware, the C2 servers were found by scanning the list of open hosts generated by a tool called ZMap and analyzing three ShadowPad artifacts previously used by Winnti, Tonto Team, and an emerging threat cluster codenamed Space Pirates.

The company further disclosed it identified Spyder and ReverseWindow malware samples communicating with ShadowPad C2 IP addresses, both of which are malicious tools put to use by APT41 (aka Winnti) and LuoYu.

ALSO, READ How To Protect Your Company Website From Hackers (2022)

Additionally, overlaps have been observed between the aforementioned Spyder sample and a Worker component of the threat actor’s Winnti 4.0 trojan.

“Scanning APT malware C2s on the Internet is sometimes like finding a needle in a haystack,” Takahiro Haruyama, a senior threat researcher at VMware TAU, said. “However, once the C2 scanning works, it can become a game changer as one of the most proactive threat detection approaches.”