As many as 85 command-and-control (C2) servers have been found supported by the ShadowPad malware since September 2021, with infrastructure detected as just lately as October 16, 2022.
That is in keeping with VMware’s Menace Evaluation Unit (TAU), which studied three ShadowPad variants utilizing TCP, UDP, and HTTP(S) protocols for C2 communications.
ShadowPad, seen as a successor to PlugX, is a modular malware platform privately shared amongst a number of Chinese language state-sponsored actors since 2015.
Taiwanese cybersecurity agency TeamT5, earlier this Might, disclosed particulars of one other China-nexus modular implant named Pangolin8RAT, which is believed to be the successor of the PlugX and ShadowPad malware households, linking it to a menace group dubbed Tianwu.
An evaluation of the three ShadowPad artifacts, which have been beforehand put to make use of by Winnti, Tonto Crew, and an rising menace cluster codenamed Area Pirates, made it attainable to find the C2 servers by scanning the record of open hosts generated by a device referred to as ZMap, VMware mentioned.
The corporate additional disclosed it recognized Spyder and ReverseWindow malware samples speaking with ShadowPad C2 IP addresses, each of that are malicious instruments put to make use of by APT41 (aka Winnti) and LuoYu.
Moreover, overlaps have been noticed between the aforementioned Spyder pattern and a Employee element of the menace actor’s Winnti 4.0 trojan.
“Scanning APT malware C2s on the Web is usually like discovering a needle in a haystack,” Takahiro Haruyama, senior menace researcher at VMware TAU, mentioned. “Nonetheless, as soon as the C2 scanning works, it may well develop into a sport changer as one of the crucial proactive menace detection approaches.”