Shadow-Earth-053 is a China-aligned campaign set that targeted government entities and critical infrastructure across Asia and a NATO member state by exploiting Microsoft Exchange and IIS N-day flaws. The attackers used GODZILLA for persistence and ShadowPad via DLL sideloading, while researchers uncovered 31 core IoCs and many related domains, IPs, and email-linked artifacts. #ShadowEarth053 #GODZILLA #ShadowPad #MicrosoftExchange #IIS
Keypoints
- Shadow-Earth-053 is a recently identified set of China-aligned campaigns targeting government and critical infrastructure in South, East, and Southeast Asia, plus a NATO member state.
- The operators exploited N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers to gain initial access.
- GODZILLA was deployed to maintain persistent access, and ShadowPad implants were staged through DLL sideloading of legitimate signed executables.
- Trend Micro identified 26 network IoCs, and the broader investigation expanded this to 31 core IoCs after filtering and enrichment.
- The IoCs included 16 subdomains, 10 domains, and 5 IP addresses, with several linked to malicious infrastructure and active resolution patterns.
- DNS and WHOIS analysis uncovered additional related artifacts, including 835 email-connected domains and multiple extra IP addresses.
- Several domains such as zimbra-beta[.]info and office365-update[.]com were flagged as likely malicious and appeared in malicious domain feeds before being labeled as IoCs.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The group gained access by abusing exposed server flaws in Microsoft Exchange and IIS (‘exploited N-day vulnerabilities in Internet-facing Microsoft Exchange and IIS servers’).
- [T1505.003] Server Software Component: Web Shell – GODZILLA was used to keep access on compromised servers (‘deployed GODZILLA to maintain persistent access’).
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – ShadowPad was staged by loading malicious code through legitimate signed executables (‘stage ShadowPad implants via DLL sideloading of legitimate signed executables’).
- [T1090.001] Proxy: Internal Proxy – The infrastructure description indicates traffic interception through compromised routing paths (‘led to router compromise to traffic interception’).
- [T1110] Brute Force – Credential harvesting is explicitly described as part of the kill chain leading to compromise (‘credential harvesting’).
- [T1053] Scheduled Task/Job – Persistence is mentioned as an objective of the kill chain (‘to persistence’).
Indicators of Compromise
- [Domains] Malicious or suspicious domains tied to the campaign – zimbra-beta[.]info, office365-update[.]com, and 8 more domains
- [Subdomains] Brand-impersonation and operator-controlled infrastructure – cert[.]kaspersky[.]icu, erp[.]kaspersky[.]icu, and 14 more subdomains
- [IP Addresses] Network endpoints associated with the infrastructure and historical resolutions – 194[.]38[.]11[.]3, 185[.]X[.]X[.]X, and 3 more IPs
- [Email Addresses] Public WHOIS contacts later linked to many connected domains – 32 historical email addresses, including 5 public email addresses
- [Email-connected Domains] Domains registered using recovered email addresses – 835 email-connected domains
- [DNS Resolution Records] Historical domain-to-IP and IP-to-domain resolution activity – 1,297 historical domain-to-IP resolutions, 839 historical IP-to-domain resolutions
- [Client/Victim IPs] External systems observed communicating with the infrastructure – 865 unique client IP addresses, 10 potentially victim-owned IP addresses
Read more: https://circleid.com/posts/a-dns-investigation-of-shadow-earth-053