Name | Description |
---|---|
POISONPLUG.SHADOW |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.[3] |
.002 | Application Layer Protocol: File Transfer Protocols | |||
.004 | Application Layer Protocol: DNS | |||
Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding | |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
ShadowPad has decrypted a binary blob to start execution.[3] |
|
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
ShadowPad uses a DGA that is based on the day of the month for C2 servers.[2][3][4] |
Enterprise | T1070 | Indicator Removal | ||
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1112 | Modify Registry |
ShadowPad can modify the Registry to store and maintain a configuration block and virtual file system.[3][5] |
|
Enterprise | T1095 | Non-Application Layer Protocol | ||
Enterprise | T1027 | Obfuscated Files or Information |
ShadowPad has encrypted its payload, a virtual file system, and various files.[2][5] |
|
.011 | Fileless Storage |
ShadowPad maintains a configuration block and virtual file system in the Registry.[3][5] |
||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | Process Injection |
ShadowPad has injected an install module into a newly created process.[3] |
|
.001 | Dynamic-link Library Injection | |||
Enterprise | T1029 | Scheduled Transfer | ||
Enterprise | T1082 | System Information Discovery |
ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.[3] |
|
Enterprise | T1016 | System Network Configuration Discovery |
ShadowPad has collected the domain name of the victim system.[3] |
|
Enterprise | T1033 | System Owner/User Discovery |
ShadowPad has collected the username of the victim system.[3] |
|
Enterprise | T1124 | System Time Discovery |
ShadowPad has collected the current date and time of the victim system.[3] |
ID | Name | References |
---|---|---|
G0081 | Tropic Trooper | |
G0131 | Tonto Team | |
G0096 | APT41 | |
G0143 | Aquatic Panda |
Aquatic Panda used ShadowPad as a remote access tool to victim environments.[7] |
G1006 | Earth Lusca | |
G0060 | BRONZE BUTLER |