ShadowPad

ShadowPad is a modular backdoor that was first identified in a Software Supply Chain Compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [1][2][3]

The ShadowPad backdoor was planted in NetSarang's software, a server management software product based in the U.S. and South Korea and used by large businesses around the world. When activated, the backdoor allows attackers to download further malicious modules or steal data.

A slight change was made to a one of NetSarang's dynamic link libraries (dll) files, which was then signed with a legitimate NetSarang certificate, implying that the the attackers modified the source code or patched software on the build servers.[2][3]

Associated Software Descriptions

Name Description
POISONPLUG.SHADOW

[4]

Techniques Used

Domain ID Name Use
Enterprise VT0004 .002 Supply Chain Compromise: Compromise Software Supply Chain

ShadowPad backdoor was inserted into a dynamic link library (dll) file of NetSarang, a server management software and delivered to NetSarang's users in a Software Supply Chain Compromise.

Threat actors That Use This Tools

ID Name References
VG0006 APT41

APT41 is reported to be behind the infamous modular backdoor ShadowPad, which was first discovered in the Software Supply Chain Compromise of Netsarang software.

References

Attachments

ID
VS0008
Associated Software
POISONPLUG.SHADOW
Type
MALWARE
Platforms
Windows
Version
1.0

Created: 06 May 2021

Last Modified: 06 May 2021