Overview
A recent investigation by Trend Micro has uncovered a potential supply chain attack targeting the Pakistani government. The attack involves an MSI installer for the Pakistani government app E-Office, which was found to deliver a ShadowPad sample. ShadowPad is an advanced malware family discovered in 2017 following a supply chain attack on server management software, attributed to APT41. Since 2019, this malware has been shared among multiple Chinese threat actors such as Earth Akhlut or Earth Lusca.
Technical Analysis
The MSI installer’s metadata contains tags mentioning the eOffice and its developing agency. The installer was found to contain three additional files:
- Telerik.Windows.Data.Validation.dll
- mscoree.dll
- mscoree.dll.dat
The Telerik.Windows.Data.Validation.dll is a 64-bit non-DLL PE executable file, which is the legitimate applaunch.exe file signed by Microsoft. This executable is known to be abused by multiple threat actors to sideload malicious files named mscoree.dll. The mscoree.dll is a malicious DLL that decrypts and loads the mscoree.dll.dat file, which is the ShadowPad payload.
The ShadowPad malware uses a DLL sideloading vulnerability in the applaunch.exe file. The malware checks some bytes of the loading executable at a hard-coded offset to verify that they match a particular value. If this is not the case, the DLL closes itself. This code excerpt is intended as an anti-sandbox analysis code.
The malware uses two different obfuscation techniques, both of which are used in the DLL and the decrypted payload. The first technique prevents the disassembler from statically following the code flow, as every instruction is followed by a call to a function that calculates the address of the next instruction. The second technique adds useless instructions and branches that are never taken.
Indicators of Compromise (IOCs)
The following are the IOCs related to this threat:
SHA256:
- c1feef03663a9aa920a9ab4eb2ab7adadb3f2a60db23a90e5fe9b949d4ec22b6
- 4e3a455e7f0b8f34385cd8320022719a8fc59d8bc091472990ac9a56e982a965
- 17272a56cbf8e479c085e88fe22243685fac2bc041bda26554aa716287714466
- c35b8514e3b2649e17c13fd9dc4796dbc52e38e054d518556c82e6df38ca4c1b
- d6f184dae03d4ddae8e839dd2161d9cd03d3b25421b4795edab0f5ad9850d091
- f8c5feaae3f8e4bfb37edf4e05d1ee91797023bdf71e1c45ed2711861b300f37
- 0122734490fe4dfb287d34394667d81ab46e0d05d4569d06a41f0f3c3a36448c
- bdc6a2985a07ef3c5d2ef2a0eb53afdfdbf757bfa080e8b77ba4b47c1a99b423
- 4805a7a386fac1af9a80ab24d95ebf4699c35a7c38fcf3eefa571b9d67d7bf45
- 8b5e918595c27db3bcafd59a86045605837bc5843c938039852218d72cf2c253
- 953e3ed35d84c4a7c4a599f65b2fbd6475b474e9b4bf85581255f1d81d2b5e4e
- 6dea7f976a3dc359e630ab5e85fa69f114fc046dcc363598e998e1ef9751bbed
- 0122734490fe4dfb287d34394667d81ab46e0d05d4569d06a41f0f3c3a36448c
- 7e8c6961a10c95a5d97aece92c2e2d974d63ede98196413cc0cf033f92084f53
- dde04eaac96964e86b8734f67f3b6741505fdc5e177dd58e85da12a8120a44bf
- 16c6558634759e6efd4581de60cc2050d99a53245c6abde3d38fc140204777e9
- 253f474aa0147fdcf88beaae40f3a23bdadfc98b8dd36ae2d81c387ced2db4f1
- 05ed1feda4a1684f8f7907644500948f4488a60ecb0740f708e08c1812b7f122
- 225b0adce4fab783d0962852894482e7452e5483bf955757cb25e6a26c3d3b38
C&C:
- hXXps://tech.learningstudy[.]xyz:443
- hXXps://live.musicweb[.]xyz:443
- hXXps://obo.videocenter[.]org:443
- hXXps://45.76.144[.]182:443
MITRE ATT&CK TTPs
The following MITRE ATT&CK TTPs are relevant to this attack:
- T1195: Supply Chain Compromise
- T1073: DLL Side-Loading
- T1055: Process Injection
- T1027: Obfuscated Files or Information
- T1105: Remote File Copy
- T1001: Data Obfuscation
- T1036: Masquerading
Possibly related CVEs
CVE-2021-26855
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. This vulnerability has been exploited by the HAFNIUM APT group, among others, and was a part of a series of zero-day vulnerabilities in Microsoft Exchange Server that were exploited in the wild.
More information about CVE-2021-26855 can be found on the Microsoft Security Response Center and the National Vulnerability Database (NVD).
CVE-2022-29464
CVE-2022-29464 is an unrestricted file upload vulnerability affecting various WSO2 products. This critical vulnerability allows unauthenticated and remote attackers to execute arbitrary code on the affected system. It has been exploited in the wild since April 2022 to install Cobalt Strike beacons, coin-miners, and other types of malware.
More information about CVE-2022-29464 can be found on the WSO2 Security Advisory and the National Vulnerability Database (NVD).
Exploitation Campaigns
Both CVE-2021-26855 and CVE-2022-29464 have been exploited in various campaigns:
- CVE-2021-26855 was exploited by the HAFNIUM APT group and was part of a series of zero-day vulnerabilities in Microsoft Exchange Server that were exploited in the wild. More details can be found in this Microsoft Security Blog post.
- CVE-2022-29464 has been exploited in the wild since April 2022 to install Cobalt Strike beacons, coin-miners, and other types of malware. More details can be found in this Rapid7 Blog post.
Conclusion
This campaign demonstrates the capabilities of a highly skilled threat actor that managed to compromise a governmental application installer to target sensitive entities. The use of ShadowPad malware potentially links the actor to the nexus of Chinese threat actors, although a specific group cannot be confidently identified. The actor’s ability to blend in with legitimate network traffic shows a high level of preparation and sophistication. It is expected that more threat actors will use this updated ShadowPad version in the future.
Further Reading:
- ShadowPad backdoor exploiting vulnerabilities – Trend Micro Business Support
- Shadowpad – Privately sold malware espionage tool – Cymulate
- Attacks on industrial control systems using ShadowPad – Kaspersky ICS CERT
- A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion – NCC Group Research
- ShadowPad (Malware Family) – Malpedia
- APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor
- ShadowPad Malware Detection: Backdoor Popular Among Chinese Clusters of Espionage Activity – SOC Prime
- China-Backed APT Pwns Building-Automation Systems With ProxyLogon – Dark Reading
- APT Hackers Targeting Industrial Control Systems with ShadowPad… – Vulners
- Group of Hackers Attack Asian Governments Using ShadowPad RAT Malware – GBHackers