In a concerning development, cybersecurity researchers have identified an upgraded version of the ShadowPad malware being used in ransomware attacks across multiple industries and geographic regions.
This advanced malware, historically associated with Chinese threat actors, has evolved to facilitate undetected ransomware deployment, posing a significant threat to businesses worldwide.
ShadowPad, a modular malware family first discovered in 2017, has undergone substantial updates, enhancing its ability to evade detection and complicate analysis.
Recent investigations revealed that threat actors exploited weak passwords and bypassed multi-factor authentication mechanisms to infiltrate corporate networks.
Once inside, they deployed ShadowPad on critical systems, including domain controllers, enabling further malicious activities.
The updated malware incorporates features such as DNS over HTTPS (DoH) for stealthy communication and advanced anti-debugging techniques to hinder forensic analysis.
Additionally, ShadowPad now encrypts its payload in the victim’s registry using unique machine identifiers, making it even more challenging for researchers to retrieve critical data.
Ransomware Deployment: A Rare but Alarming Trend
In an unusual move for ShadowPad operators, two recent incidents involved the deployment of a previously unreported ransomware family.
The ransomware encrypted files on targeted systems while excluding critical directories and file types like executables and system files.
Encrypted files were appended with a “.locked” extension, accompanied by ransom notes resembling those used by the Kodex Evil Extractor tool.
However, analysis confirmed that the ransomware was distinct from Kodex’s documented behavior.
The ransomware employed sophisticated encryption methods, using randomly generated AES keys encrypted with a hardcoded RSA public key.
Despite these efforts, no ransom payments were detected, suggesting that this phase of the attack may have been experimental or intended for disruption rather than financial gain.
Global Impact Across Industries
Over the past seven months, ShadowPad-related activity has targeted at least 21 organizations spanning 15 countries across Europe, Asia, the Middle East, and South America.
The manufacturing sector bore the brunt of these attacks, accounting for more than half of the affected entities.
Other impacted industries included transportation, energy, banking, and education.
According to Trend Micro Report, the attackers’ ultimate objectives remain unclear but may involve intellectual property theft alongside ransomware deployment.
In several cases, evidence pointed to data exfiltration activities such as Active Directory information dumping and subsequent deletion of related files.
The resurgence and evolution of ShadowPad underscore the importance of robust cybersecurity measures.
Organizations are urged to enforce strong password policies, implement multi-factor authentication rigorously, and monitor for indicators of compromise linked to ShadowPad campaigns.
Proactive threat hunting and leveraging advanced security platforms can help mitigate risks posed by this sophisticated malware.
This development highlights the growing convergence of espionage-focused malware with financially motivated ransomware tactics a trend that could redefine the cybersecurity landscape in years to come.
