Threat Research

Tracking ShadowPad Infrastructure Via Non-Standard Certificates

Securonix

This post analyzes ShadowPad infrastructure tied to an unidentified threat actor, highlighting non-standard HTTP headers and a certificate spoofing Dell to mask its origin. It catalogs ShadowPad servers across multiple providers, outlines two main port-based clusters, and notes patterns in RDP common names and spoofed entities.
#ShadowPad #DellTechnologiesInc #DellDataVault #TheConstantCompany #KazakhTelecom #AlibabaUS #Google #Shaduruanjian

Keypoints

  • ShadowPad is a modular Trojan used for espionage and information theft since 2019, linked to state-linked Chinese threats.
  • The investigation tracks ShadowPad infrastructure via slight changes in HTTP response headers and the use of a certificate attempting to spoof Dell.
  • Researchers identified over 30 servers using the spoofed Dell certificate across multiple providers, with varying port configurations.
  • Two main clusters exist: Cluster #1 with multiple ports including a 53-port HTTP server with an Nginx header; Cluster #2 primarily uses port 443.
  • A notable pattern is the use of common RDP CNs (e.g., “iZ5qjajwc0tiohZ”), suggesting additional actor activity or misconfiguration.
  • Several spoofed entities are noted (Microsoft, KazakhTelecom, Google, SuperMicro, Shaduruanjian) alongside tabled IPs/domains indicating infrastructure breadth.

MITRE Techniques

  • [T1071.001] Web Protocols – ShadowPad uses HTTP-based C2 with non-standard headers. Quote: ‘Similar HTTP Headers Without the “Page Not Found” Text’
  • [T1036] Masquerading – The actor employs a certificate attempting to spoof American technology company, Dell. Quote: ‘certificate attempting to spoof American technology company, Dell.’
  • [T1583] Acquire Infrastructure – The threat actor purchases servers from a reseller across multiple providers. Quote: ‘the threat actor purchasing the servers from a reseller.’

Indicators of Compromise

  • [IP Address] ShadowPad 53-port cluster – 45.76.146.215, 81.68.102.11, and 28 more IPs
  • [Domain] ShadowPad domains – app2.toggle2.com, update.performed12.com, and other domains
  • [ASN] Service providers – The Constant Company, Tencent
  • [Certificate Last Seen] Certificate dates – 2024-02-06, 2024-01-30
  • [RDP Common Name] RDP CN patterns – iZ5qjajwc0tiohZ

Read more: https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint