ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat organizations in recent years, has been revealed by cybersecurity researchers, who have also linked it to the country's civilian and military intelligence services. Since at least 2017, the Chinese government-sponsored BRONZE ATLAS threat organization has been using the ShadowPad sophisticated modular remote access trojan (RAT).
Since 2019, a rising number of other Chinese threat groups have used it in attacks against firms in a variety of industrial verticals throughout the world. Analysis of ShadowPad samples by Secureworks Counter Threat Unit (CTU) found clusters of activity associated with threat groups affiliated with the Chinese Ministry of State Security (MSS), civilian intelligence agency, and the People's Liberation Army (PLA).
ShadowPad rose to prominence in 2017 because it was used in software supply chain attacks involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments released in 2020 provide more details on ShadowPad's relationship to BRONZE ATLAS.
According to the Microsoft complaint, BRONZE ATLAS (also known as Barium) used ShadowPad to steal intellectual property and personally identifiable information in 2017. The malware was only utilised by BRONZE ATLAS at the time. According to the DOJ indictments, Chinese nationals working for the Chengdu 404 network security firm used ShadowPad in a global campaign ascribed to BRONZE ATLAS.
Traditionally, malware payloads are sent to a host either encrypted within a DLL loader or embedded within a separate file alongside a DLL loader, which subsequently decrypts and executes the embedded ShadowPad payload in memory using a specific decryption technique tailored to the malware version. These DLL loaders run malware after being sideloaded by a genuine executable vulnerable to DLL search order hijacking, a technique that allows malware to run by hijacking the mechanism used to look for required DLLs to load into a programme.
Secureworks discovered that certain infection chains include a third file containing the encrypted ShadowPad payload, which works by executing the genuine binary (e.g., BDReinit.exe or Oleview.exe) to sideload the DLL, which then loads and decrypts the third file.
The incursions in one ShadowPad incident paved the door for conducting hands-on-keyboard attacks, which are attacks in which human hackers manually log into an infected system to execute commands rather than using automated scripts.
