The evolution of ShadowPad infrastructure

Pivoting the ShadowPad C2s SSL Certificate to track the malware’s infrastructure

Bank Security
8 min readMar 25, 2022

Key takeaways

  • ShadowPad malware has been used for years by the Chinese state-sponsored group named Winnti (aka APT41, AXIOM, WICKED SPIDER & PANDA);
  • The SSL certificate used by the ShadowPad C2s has remained unchanged over the years, allowing analysts to keep track of the evolution of malware and its infrastructure;
  • From 2017 to today over 600 IP addresses used the ShadowPad certificate;
  • February 2021 was the month when the infrastructure was at its peak with over 80 active IPs;
  • Over the years the infrastructure has been mainly been hosted in Hong Kong, South Korea and China;
  • The beginning of the conflict between Russia and Ukraine doesn’t seem to have altered the size of the infrastructure;

Introduction

Reading the latest ShadowPad analysis performed by the Secureworks researchers, I got hooked on this advanced threat and tried to figure out:

How big is the infrastructure of a sophisticated Chinese malware?

How has it evolved over time? Where is it hosted? What providers do they use?

Thanks to the analyzes of the ShadowPad’s command and control servers (C2) performed by various cyber security firms, it was possible to learn that the Chinese threat group named Winnti has been using the same SSL certificate on their ShadowPad C2 servers for years.

This article analyzes the evolution of ShadowPad’s malware infrastructure by pivoting the C2 servers with the corresponding SSL certificate. The evolution of the infrastructure covers the last 5 years (from mid-2017 to today). The infrastructure analysis mainly focuses on the size, geolocation and the main service providers used by ShadowPad.

Thanks to the Shodan platform’s history feature, it is possible to identify which servers hosted the certificate in a specific time range, even if they are now decommissioned.

What is ShadowPad?

ShadowPad is a a sophisticated and modular backdoor used by the state-sponsored Chinese group named Winnti (aka APT41, BARIUM, AXIOM, WICKED SPIDER & PANDA) and a growing number of Chinese threat groups, which have been active for at least 10 years.

Each plugin contains specific functionality that can be ‘plugged’ or ‘unplugged’ during runtime. It also allows dynamic loading of additional plugins which are not initially embedded in the sample and can be downloaded from the C&C server.

The key interests of groups using ShadowPad are espionage and financial gain. Their core toolkit consists of custom malware.

In particular, Winnti uses complex attack methods, including supply chain and watering hole attacks. The group knows exactly who their victims are. They develop attacks very carefully and deploy their primary tools only after a detailed reconnaissance of the infected system.

The group attacks countries all over the world, including Russia, the United States, Japan, South Korea, Germany, Mongolia, Belarus, India and more.

The group tends to attack different industries like finance, gaming, software development, aerospace, energy, telecom and more.

The SSL Certificate is the key

To understand the evolution of the ShadowPad infrastructure over the last several years, is important to focus on something that has remained constant over time and that can be uniquely associated with ShadowPad.

This constant is the SSL certificate used by the ShadowPad C2s, which — contrary to how it normally happens — has remained unchanged over the years, thereby allowing analysts to keep track of the evolution of malware and its infrastructure. It is also possible to monitor all the new C2s that appear in order to proactively block them and insert them into an organization’s MISP or TIP as soon as possible.

The reason for using the same SSL certificate on almost all ShadowPad C2 servers is not clear. This may be the result of having the same system image installed on the C2 servers, or else simple overconfidence. It’s also possible that the creation of the new C2s is outsourced to a third party which doesn’t care about OPSEC.

Find the most relevant certificate:

Thanks to the analysis of various public sources and cyber security firms which analyzed the different ShadowPad campaigns (articles in the references), it was possible to find a specific SSL chain that has been constantly used by the Winnti group over the last few years.

Below are the corresponding C2 SSL certificate parameters:

Root: C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myCA, SHA1=0a71519f5549b21510410cdf4a85701489676ddb

Sub: C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer, SHA1=2d2d79c478e92a7de25e661ff1a68de0833b9d9b

The details about the two certificates:

Root vs Sub — 1
Root vs Sub — 2

You can find the presence of this certificate in several publications about ShadowPad malware attacks, such as:

  • A 2020 Positive Technology report related to a new activity from the Winnti group:
  • An investigation of the 2017 attack on CCleaner. Avast has provided details regarding the attack. A screenshot, included here, shows the same certificate:
  • A talk by FireEye researchers at Code Blue 2019 about cyberattacks against Japanese targets. In one of the attacks, the researchers found the use of POISONPLUG (the name for ShadowPad used by FireEye). Analysis of the infrastructure revealed the same certificate on ShadowPad C2 servers:

Evolution of the malware’s infrastructure

By searching for servers that currently use the previously discovered certificate and those that used it in the past, it’s possible to trace the evolution of ShadowPad’s malware infrastructure over the past few years.

To obtain these results, you can use Shodan or Censys with a search that pivots on the SSL SHA1: “2d2d79c478e92a7de25e661ff1a68de0833b9d9b”:

https://www.shodan.io/search?query=ssl%3A%222d2d79c478e92a7de25e661ff1a68de0833b9d9b%22

At the time of writing, 10–20 IPs per day host the certificate. This number varies from day to day, increasing or decreasing according to the Threat Actors’ needs and goals.

Here, ShadowPad’s evolution since the mid-2017:

https://trends.shodan.io/search?query=ssl:%222d2d79c478e92a7de25e661ff1a68de0833b9d9b%22#facet/overview

Starting from 2017, over 600 IP addresses used the ShadowPad’s certificate. Since 2017, the infrastructure has grown steadily until February 2021 where it reached its peak, with over 80 active IPs.

From that moment on, the infrastructure has gradually reduced until today it counts between 10 and 20 unique IPs.

The beginning of the conflict between Russia and Ukraine does not seem to have altered this trend, leaving the ShadowPad infrastructure consistently reduced for now.

The following figure shows the top 5 countries related to the detected IP addresses:

https://trends.shodan.io/search?query=ssl:%222d2d79c478e92a7de25e661ff1a68de0833b9d9b%22#facet/country

Since 2017 the infrastructure has been mainly hosted in the following countries:

  • Hong Kong
  • South Korea
  • China
  • Japan
  • US

There is no country that stands out more than the others, but Asia appears to be the primary hosting region.

The following figure shows the distribution of the top 5 service providers used by ShadowPad:

https://trends.shodan.io/search?query=ssl:%222d2d79c478e92a7de25e661ff1a68de0833b9d9b%22#facet/org

The IP addresses are distributed between over 150 unique providers.

The highest number of servers are concentrated on the following 5 providers:

  • EHOSTICT
  • Hdtidc Limited
  • Hong Kong Broadband Network
  • Anchnet Asia Limited
  • Topway Global Limited

Here is the C2s’ port usage over the years:

https://trends.shodan.io/search?query=ssl:%222d2d79c478e92a7de25e661ff1a68de0833b9d9b%22#facet/port

As you can see from the graph, the most used port by the different C2s was 443, but other ports have also been used, such as 8081, 8443 and 8083.

Conclusions

Thanks to the continuous use of the same certificate, it was possible to analyze the ShadowPad’s malware infrastructure from 2017 to today.

It was interesting to discover that the infrastructure over the years has always been geolocated mainly in Asia and that the moment of maximum expansion was about 1 year ago.

Thanks to the continuous monitoring of the new servers that host this certificate, it is possible to proactively detect and block the involved malicious IPs. If you are among the sectors targeted by this APT, generating the list of C2s to block can be a great way to create actionable intelligence for your company.

Follow me on Twitter:

https://twitter.com/Bank_Security

ShadowPad public references:

Winniti public references:

--

--