Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

ShadowPad backdoor exploiting vulnerabilities

    • Updated:
    • 19 Aug 2020
    • Product/Version:
    • Apex One 2019
    • Apex One as a Service
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Standard All
    • Platform:
Summary

ShadowPad is one of the largest known supply-chain attacks. Once activated, the backdoor allows attackers to download further malicious modules or steal data.

There are reports that the recently disclosed multiple vulnerabilities (CVE-2019-9489, CVE-2020-8467, CVE-2020-8468, CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599) this March on OSCE / Apex One could have been also utilized. Patches (KB 000245571 and KB 1122250) were already released to fix these vulnerabilities.

Capabilities

  • Exploit
  • Information Theft
  • Persistence

Impact

  • Exfiltration Over Command and Control Channel
  • Remote Command Execution

Malware routine can be found on the following virus reports:

Indicators of Compromise

  • hxxps://trendupdate[.]dns05[.]com (C&C Server) – no longer accessible
DetectionsHash (SHA1)
Backdoor.Win64.SHADOWPAD.AA32466d8d232d7b1801f456fe336615e6fa5e6ffb
4dc5fadece500ccd8cc49cfcf8a1b59baee3382a
6f065eea36e28403d4d518b8e24bb7a915b612c3
Backdoor.Win64.SHADOWPAD.AD556cd176ffb3a5576c77a1cf3d989ec88ce252da
a570deda43eb424cc3578ba00b4d42d40044bd00
Backdoor.Win64.SHADOWPAD.AE07ef26c53b62c4b38c4ff4b6186bda07a2ff40cb
Backdoor.Win64.SHADOWPAD.DAMd78dc2061e829d4c729959f4f62978979bf09bf7
Backdoor.Win64.SHADOWPAD.SM27fe9533d9acf50775dbec7ddc7666eab5ace2c4
42e559fd9e52040966a1e3a6a598209f5abd54a8
8702cb36e352f5364d93bd9c1c950451c6fc19c0
d80f117e75cba4b93e531609eb0b21761f1c1577
Details
Public
TM DetectionOPR
Backdoor.Win64.SHADOWPAD.AD15.751.00
Backdoor.Win64.SHADOWPAD.AE15.803.00
Backdoor.Win64.SHADOWPAD.DAM15.827.00
Backdoor.Win64.SHADOWPAD.SM15.791.00

 
Predictive Machine Learning (Trend X) Detection
Troj.Win32.TRX.XXPE50FFF034

 
Sandbox Detection
VAN_MALWARE.UMXX

Actions to Take

Make sure that your product software is patched and up to date. Refer to the following KB articles:

Trend Micro Endpoint Product using best practices should be able to detect and clean this malware. For more information, refer to the KB article on Best practices in configuring OfficeScan (OSCE) for malware protection.

For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine. Refer to this KB article.

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000263049
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.