ShadowPad is one of the largest known supply-chain attacks. Once activated, the backdoor allows attackers to download further malicious modules or steal data.
There are reports that the recently disclosed multiple vulnerabilities (CVE-2019-9489, CVE-2020-8467, CVE-2020-8468, CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599) this March on OSCE / Apex One could have been also utilized. Patches (KB 000245571 and KB 1122250) were already released to fix these vulnerabilities.
- Information Theft
- Exfiltration Over Command and Control Channel
- Remote Command Execution
Malware routine can be found on the following virus reports:
- Threat Encyclopedia: Backdoor.Win64.SHADOWPAD.AE
- Threat Encyclopedia: Backdoor.Win64.SHADOWPAD.AD
- Threat Encyclopedia: BKDR_SHADOWPAD.A
Indicators of Compromise
- hxxps://trendupdate[.]dns05[.]com (C&C Server) – no longer accessible
|Predictive Machine Learning (Trend X) Detection|
Actions to Take
Make sure that your product software is patched and up to date. Refer to the following KB articles:
- SECURITY BULLETIN: Directory Traversal Vulnerability in Trend Micro Apex One, OfficeScan and Worry-Free Business Security
- SECURITY BULLETIN: Multiple Critical Vulnerabilities in Trend Micro Apex One and OfficeScan
Trend Micro Endpoint Product using best practices should be able to detect and clean this malware. For more information, refer to the KB article on Best practices in configuring OfficeScan (OSCE) for malware protection.
For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine. Refer to this KB article.