Analysis Summary

ShadowPad is a RAT (Remote Access Trojan) used frequently by several Chinese state-sponsored threat actors. The activity using ShadowPad is also linked to the MSS (Chinese Ministry of State Security) and the People's Liberation Army (PLA). It is mostly a two-file execution malware; a DLL loader containing a ShadowPad payload embedded in it. Threat actors using ShadowPad target South Korea, India, Japan, Ukraine, Russia, and Mongolia. One such group is TAG-38 which has previously targeted Indian power grid assets.

Impact

• Unauthorized Access
• Financial Theft
• Information Theft

Indicators of Compromise

IP

• 37.120.222.37

MD5

• 704fb67dffe4d1dce8f22e56096893be
• f6a16ca591e787bf4922c4f1521be536

SHA-256

• 79c2c656eac34f628406855c9fafe36161ac423c071d9b20b64f4f511c9ec241
• 637a382d88431cea9ec13072e7a880316021b3861c74574b9ef79ec21d6e1237

SHA1

• 88e345cd7b63dcc6f9559de4208d8832835ca6a3
• 9e871e58090bcaf8cfb80a1a80a595f73ed368a9

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.