Summary
ShadowPad is one of the largest known supply-chain attacks. Once activated, the backdoor allows attackers to download further malicious modules or steal data.
There are reports that the recently disclosed multiple vulnerabilities (CVE-2019-9489, CVE-2020-8467, CVE-2020-8468, CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599) this March on OSCE / Apex One could have been also utilized. Patches (KB 000245571 and KB 1122250) were already released to fix these vulnerabilities.
Capabilities
- Exploit
- Information Theft
- Persistence
Impact
- Exfiltration Over Command and Control Channel
- Remote Command Execution
Malware routine can be found on the following virus reports:
Indicators of Compromise
- hxxps://trendupdate[.]dns05[.]com (C&C Server) – no longer accessible
| Detections | Hash (SHA1) |
|---|
| Backdoor.Win64.SHADOWPAD.AA | 32466d8d232d7b1801f456fe336615e6fa5e6ffb
4dc5fadece500ccd8cc49cfcf8a1b59baee3382a
6f065eea36e28403d4d518b8e24bb7a915b612c3 |
| Backdoor.Win64.SHADOWPAD.AD | 556cd176ffb3a5576c77a1cf3d989ec88ce252da
a570deda43eb424cc3578ba00b4d42d40044bd00 |
| Backdoor.Win64.SHADOWPAD.AE | 07ef26c53b62c4b38c4ff4b6186bda07a2ff40cb |
| Backdoor.Win64.SHADOWPAD.DAM | d78dc2061e829d4c729959f4f62978979bf09bf7 |
| Backdoor.Win64.SHADOWPAD.SM | 27fe9533d9acf50775dbec7ddc7666eab5ace2c4
42e559fd9e52040966a1e3a6a598209f5abd54a8
8702cb36e352f5364d93bd9c1c950451c6fc19c0
d80f117e75cba4b93e531609eb0b21761f1c1577 |
| TM Detection | OPR |
|---|
| Backdoor.Win64.SHADOWPAD.AD | 15.751.00 |
| Backdoor.Win64.SHADOWPAD.AE | 15.803.00 |
| Backdoor.Win64.SHADOWPAD.DAM | 15.827.00 |
| Backdoor.Win64.SHADOWPAD.SM | 15.791.00 |
| Predictive Machine Learning (Trend X) Detection |
|---|
| Troj.Win32.TRX.XXPE50FFF034 |
| Sandbox Detection |
|---|
| VAN_MALWARE.UMXX |
Actions to Take
Make sure that your product software is patched and up to date. Refer to the following KB articles:
Trend Micro Endpoint Product using best practices should be able to detect and clean this malware. For more information, refer to the KB article on Best practices in configuring OfficeScan (OSCE) for malware protection.
For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine. Refer to this KB article.
