Trend Micro has discovered samples of Shadowpad, an advanced backdoor used by various China-backed actors within applications built by the National Information Technology Board (NITB), a government agency of Pakistan.
In a study published on July 14, 2023, two threat analysts, Daniel Lungi and Jib Chan, who work for a Japanese cybersecurity provider, found that an electronic device developed by NITB and used exclusively by the government of Pakistan We analyzed the Microsoft Windows installer for E-Office, a management application. organization.
One of the three files launched by the installer, mscoree.dll, appeared to be the Shadowpad payload.
Shadowpad is a modular backdoor that was discovered in 2017 after a supply chain attack against popular server management software by Chinese double agent and cybercriminal threat actor APT41 (aka Wicked Panda and Bronze Atlas). .
Since 2019, this malware has been shared among multiple Chinese threat actors such as Earth Akhlut and Earth Lusca.
Therefore, Trend Micro said that while the campaign could potentially be linked to “connections” of Chinese threat actors, it cannot be attributed to any particular group with confidence.
All samples use the same technique
After analyzing the E-Office installer file, Trend Micro researchers found code that checks some bytes of the executable being loaded at a hard-coded offset to see if it matches a specific value. We have discovered that threat actors are adding: Otherwise, the DLL will automatically terminate.
In that case, the rest of the code is obfuscated in two ways. One, it prevents the disassembler from statically following the code flow, making static analysis very difficult, and the other, it adds useless instructions and branches that are never executed to cause confusion. Thing. Any Malware Analyst.
We found some Shadowpad samples using these two obfuscation techniques.
The encryption scheme for this campaign was different than previously used, as the attackers encrypted each Shadowpad backdoor configuration sample with the same algorithm. Historically, each sample was encrypted with a different algorithm.
These technical factors could mean that the same actor may be behind all the samples Trend Micro found, but the researchers make no such claim.
3 Pakistani targets
Researchers found three targets, all in Pakistan.
The first victim we discovered was a Pakistani government agency. Trend Micro confirmed that Shadowpad samples reached victims after running his backdoor E-Office installer on September 28, 2022.
The second victim was a public sector bank in Pakistan. In this incident, he detected a different Shadowpad sample on September 30, 2022 after E-Office was installed, and Trend Micro was unable to retrieve his associated E-Office installer.
Another related shadowpad sample was detected at a telecommunications provider in Pakistan in May 2022. Subsequent analysis indicated that for one, he had been there since mid-February 2022, but researchers were unable to find an infection vector for this incident.
The fact that the E-Office is “only for government agencies and not open to the public” supports our belief that the incident could be a supply chain attack, Lunghi and Chang said. concluded Mr.
