ShadowPad backdoor exploiting vulnerabilities

Product / Version includes:

OfficeScan XG , OfficeScan 11.0 , Apex One 2019 , Apex One as a Service All , Worry-Free Business Security Standard All

Last updated: 2025/05/08

Solution ID: KA-0010815

Category: Remove a Malware / Virus

Summary

ShadowPad is one of the largest known supply-chain attacks. Once activated, the backdoor allows attackers to download further malicious modules or steal data.

There are reports that the recently disclosed multiple vulnerabilities (CVE-2019-9489, CVE-2020-8467, CVE-2020-8468, CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599) this March on OSCE / Apex One could have been also utilized. Patches (KB 000245571 and KB 1122250) were already released to fix these vulnerabilities.

Capabilities

Exploit
Information Theft
Persistence

Impact

Exfiltration Over Command and Control Channel
Remote Command Execution

Malware routine can be found on the following virus reports:

Indicators of Compromise

hxxps://trendupdate[.]dns05[.]com (C&C Server) – no longer accessible

Detections	Hash (SHA1)
Backdoor.Win64.SHADOWPAD.AA	32466d8d232d7b1801f456fe336615e6fa5e6ffb 4dc5fadece500ccd8cc49cfcf8a1b59baee3382a 6f065eea36e28403d4d518b8e24bb7a915b612c3
Backdoor.Win64.SHADOWPAD.AD	556cd176ffb3a5576c77a1cf3d989ec88ce252da a570deda43eb424cc3578ba00b4d42d40044bd00
Backdoor.Win64.SHADOWPAD.AE	07ef26c53b62c4b38c4ff4b6186bda07a2ff40cb
Backdoor.Win64.SHADOWPAD.DAM	d78dc2061e829d4c729959f4f62978979bf09bf7
Backdoor.Win64.SHADOWPAD.SM	27fe9533d9acf50775dbec7ddc7666eab5ace2c4 42e559fd9e52040966a1e3a6a598209f5abd54a8 8702cb36e352f5364d93bd9c1c950451c6fc19c0 d80f117e75cba4b93e531609eb0b21761f1c1577

TM Detection	OPR
Backdoor.Win64.SHADOWPAD.AD	15.751.00
Backdoor.Win64.SHADOWPAD.AE	15.803.00
Backdoor.Win64.SHADOWPAD.DAM	15.827.00
Backdoor.Win64.SHADOWPAD.SM	15.791.00

Predictive Machine Learning (Trend X) Detection
Troj.Win32.TRX.XXPE50FFF034

Sandbox Detection
VAN_MALWARE.UMXX

Actions to Take

Make sure that your product software is patched and up to date. Refer to the following KB articles:

Trend Micro Endpoint Product using best practices should be able to detect and clean this malware. For more information, refer to the KB article on Best practices in configuring OfficeScan (OSCE) for malware protection.

For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine. Refer to this KB article.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

ShadowPad backdoor exploiting vulnerabilities

ShadowPad backdoor exploiting vulnerabilities

Product / Version includes:

Summary