APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor

Entities located in Afghanistan, Malaysia, and Pakistan are in
the crosshairs of an attack campaign that targets unpatched
Microsoft Exchange Servers as an initial access vector to deploy
the ShadowPad malware.

Russian cybersecurity firm Kaspersky, which first detected the
activity in mid-October 2021, attributed^[1]
it to a previously unknown Chinese-speaking threat actor. Targets
include organizations in the telecommunications, manufacturing, and
transport sectors.

“During the initial attacks, the group exploited an MS Exchange
vulnerability to deploy ShadowPad malware and infiltrated building automation systems^[2] of one of the victims,”
the company said. “By taking control over those systems, the
attacker can reach other, even more sensitive systems of the
attacked organization.”

ShadowPad^[3], which emerged in 2015
as the successor to PlugX, is a privately sold modular malware
platform that has been put to use by many Chinese espionage actors
over the years.

While its design allows users to remotely deploy additional
plugins that can extend its functionality beyond covert data
collection, what makes ShadowPad dangerous is the anti-forensic and
anti-analysis technique incorporated into the malware.

“During the attacks of the observed actor, the ShadowPad
backdoor was downloaded onto the attacked computers under the guise
of legitimate software,” Kaspersky said. “In many cases, the
attacking group exploited a known vulnerability in MS Exchange, and
entered the commands manually, indicating the highly targeted
nature of their campaigns.”

Evidence suggests that intrusions mounted by the adversary began
in March 2021, right around the time the ProxyLogon vulnerabilities^[4] in Exchange Servers
became public knowledge. Some of the targets are said to have been
breached by exploiting CVE-2021-26855^[5], a server-side request
forgery (SSRF) vulnerability in the mail server.

Besides deploying ShadowPad as “mscoree.dll,” an authentic
Microsoft .NET Framework component, the attacks also involved the
use of Cobalt Strike, a PlugX variant called THOR^[6], and web shells for
remote access.

Although the final goals of the campaign remain unknown, the
attackers are believed to be interested in long-term intelligence
gathering.

“Building automation systems are rare targets for advanced
threat actors,” Kaspersky ICS CERT researcher Kirill Kruglov said.
“However, those systems can be a valuable source of highly
confidential information and may provide the attackers with a
backdoor to other, more secured, areas of infrastructures.”