ShadowPad (2448a4e1-46e3-4c42-9fd1-f51f8ede58c1)
ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
ShadowPad (2448a4e1-46e3-4c42-9fd1-f51f8ede58c1) | Tool | ShadowPad (e089e945-a523-4d11-a135-396f9b6c1dc7) | Malpedia | 1 |