As quite a few as 85 command-and-management (C2) servers have been discovered supported by the ShadowPad malware because September 2021, with infrastructure detected as just lately as Oct 16, 2022.
That is according to VMware’s Risk Examination Unit (TAU), which analyzed three ShadowPad variants working with TCP, UDP, and HTTP(S) protocols for C2 communications.
ShadowPad, found as a successor to PlugX, is a modular malware platform privately shared among multiple Chinese condition-sponsored actors due to the fact 2015.
Taiwanese cybersecurity company TeamT5, before this Could, disclosed information of a different China-nexus modular implant named Pangolin8RAT, which is considered to be the successor of the PlugX and ShadowPad malware people, linking it to a threat team dubbed Tianwu.
An examination of the 3 ShadowPad artifacts, which have been formerly set to use by Winnti, Tonto Staff, and an emerging threat cluster codenamed House Pirates, produced it possible to learn the C2 servers by scanning the list of open hosts produced by a software known as ZMap, VMware said.
The organization additional disclosed it discovered Spyder and ReverseWindow malware samples communicating with ShadowPad C2 IP addresses, both of those of which are malicious equipment place to use by APT41 (aka Winnti) and LuoYu.
Additionally, overlaps have been noticed in between the aforementioned Spyder sample and a Worker element of the menace actor’s Winnti 4. trojan.
“Scanning APT malware C2s on the Internet is at times like finding a needle in a haystack,” Takahiro Haruyama, senior threat researcher at VMware TAU, mentioned. “Having said that, once the C2 scanning is effective, it can grow to be a recreation changer as 1 of the most proactive threat detection approaches.”
Identified this article attention-grabbing? Observe THN on Facebook, Twitter and LinkedIn to study far more special articles we write-up.
Some parts of this article are sourced from:
thehackernews.com