Shadowpad
Posted: August 17, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 6/10 |
---|---|
Infected PCs: | 759 |
First Seen: | August 17, 2017 |
---|---|
Last Seen: | April 21, 2023 |
OS(es) Affected: | Windows |
ShadowPad is a backdoor Trojan that can give a remote attacker control over your computer. Its payload includes avenues for collecting confidential information from the system or installing and running other threats. Update your NetSarang software for eliminating infection vectors for its campaign and have a dedicated anti-malware solution remove ShadowPad as soon as possible.
The Shadow that Slipped into an Update Cycle
Nearly all Trojans' attacks, ultimately, fall upon the heads of users inviting them inside in the first place. Rare exceptions, however, do exist, such as zero-day attacks that use non-publicly-known vulnerabilities for their drive-by-downloads. Readers also may witness another modus operandi in the ShadowPad campaign: compromising legitimate program updates for gaining access to that product's clientele.
ShadowPad is a successful example of this style of attack quantitatively, and its attacks could have compromised hundreds of organizations around the entire world, including any businesses or governments using NetSarang products. The corrupted downloads, which the company has long since removed, include Xmanager Enterprise 5 Build 1232, Xmanager 5 Build 1045, Xshell 5 Build 1322, Xftp 5 Build 1218, and Xlpd 5 Build 1220. Unbeknownst to the developer, threat actors compromised the supply chain and inserted a basic downloader for ShadowPad.
ShadowPad's dropper follows what malware experts note is SOP for high-level cyber-espionage: collecting system stats and giving them over to the C&C, which may or may not respond with instructions for escalating the attack. Optionally, the Command & Control actives a previously-dormant backdoor feature – the defining payload of ShadowPad. Through this backdoor Trojan, they can launch new processes, upload files to their C&C, and covertly save other data for collecting at a later date.
Padding Away Lightly from Backdoor Problems
The only way that past infection strategies for ShadowPad can endanger systems is by the user's downloading one of the noted updates and stopping at that point, instead of continuing with patching their systems regularly. Modern versions of NetSarang products shouldn't be at risk from the 2017 implementation of ShadowPad's dropper, although the company hasn't made public any details about how their patch delivery system came to be compromised. ShadowPad's campaign does have some resemblance to PlugX attacks from the Winnti group of threat actors, which suggests a heightened risk to targets that are of interest to China-resident hackers.
A backdoor Trojan like ShadowPad raises few symptoms, even for normally-alert users. Network activity corresponding to contact with a corrupted domain is one of the few ways that organizations can identify infections, and AV vendor Kaspersky is providing a full list of the relevant sites. Always respond to infections by disabling network connectivity and removing ShadowPad with an appropriate anti-malware service.
The usual conversation between a Trojan's victim and the rest of the cyber-security industry involves querying what the user did wrong in the first place. With ShadowPad, the mistake can be nothing worse than downloading an update, which is why it's so vital to make a habit of staying abreast of security hotfixes and rollbacks.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.dll
File name: file.dllSize: 180.43 KB (180432 bytes)
MD5: 22593db8c877362beb12396cfef693be
Detection count: 56
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: August 17, 2017
file.dll
File name: file.dllSize: 180.65 KB (180658 bytes)
MD5: 82e237ac99904def288d3a607aa20c2b
Detection count: 53
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: August 17, 2017
file.dll
File name: file.dllSize: 167.93 KB (167936 bytes)
MD5: dac6dd4943f23b325e361552c0b8b77a
Detection count: 50
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: August 17, 2017
file.dll
File name: file.dllSize: 180.43 KB (180432 bytes)
MD5: 97363d50a279492fda14cbab53429e75
Detection count: 49
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: August 17, 2017
file.exe
File name: file.exeSize: 57.76 MB (57763752 bytes)
MD5: 0009f4b9972660eeb23ff3a9dccd8d86
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 27, 2021
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.