Tracking ShadowPad Infrastructure Via Non-Standard Certificates

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.

Thanks to Greg & Cal for answering my questions regarding this infrastructure.

Out With The Old?

Stay with me if you're already familiar with detecting ShadowPad using the standard HTTP headers with Nginx servers and TLS certificates using my* fields.

ShadowPad is a modular trojan shared privately by several suspected state-linked Chinese threats since 2019. It has been used in network intrusions focused on espionage, information theft, and even financial gain.

See Figures 1 & 2 below for examples of recently identified ShadowPad infrastructure.

Figure 2: Well-Known ShadowPad TLS Certificate 

*These servers and many more are tagged and available to Hunt users. Apply for an account today, and let us know what you think.

One could quickly start tracking servers with the above information (in addition to other factors such as provider, location, domains, etc. ) and add them to network blocklists. The only problem with this approach is that focusing on an oft-seen certificate will prevent defenders from missing minor changes to similar infrastructure.

Let's look at what made this set of IP addresses stand out from the others.

What's The Difference?

We've identified over 30 servers using the spoofed Dell certificate from across the internet. Note: The ports listed utilize the cert and do not indicate overall ports found on each IP address.

There are two ways to dig into this infrastructure: via the Advanced Search feature (below) or as part of the more extensive set of ShadowPad servers Hunt tracks, pictured in Figure 4.

Figure 3: Snippet of Advanced Search Results 

Figure 4: Tagging of ports using the Dell certificate in the Hunt platform 

Figure 5: Certificate For Subset of ShadowPad Infrastructure 

All fields of the certificate are listed below:

C=US, ST=Texas, L=Round Rock, O=Dell Technologies Inc., OU=Dell Data Vault, CN=Dell Technologies Inc.

The HTTP headers in Figure 6 should look familiar. When combined with the previously described additional factors and third-party intelligence (Recorded Future & VirusTotal), we have confirmation that we are on the trail of an actor(s) using ShadowPad.

Cracking The Dell Data Vault

None of the IP addresses identified as linked to the malware are consecutively assigned, which could indicate a threat actor purchasing the servers from a reseller. However, many are closely related, which shows a strong preference for one provider over others.

Figures 7 and 8 below show the providers making up the infrastructure, as well as the geolocations of the servers.

Suspected Cluster #1

Ports utilized for likely C2 communication consist of common ports: 53, 80, 443, 8080, 8443, 44444. While port 53 is nothing new when discussing malware communicating with a controller, just 12 IPs out of the 30+ identified have the port exposed as an HTTP server with an Nginx header (Figure 9).

Without malware samples and additional information to analyze, this anomaly has three possible motives:

1 Targeted Deployment: Standard C2 ports are used for most servers. However, this subset could represent a high-value target, where leveraging port 53 is believed to bypass detection.

2 Possible Misconfiguration: This could be an unintentional mistake made during server setup.

3 Second or Third Actor: The servers using port 53 may belong to a separate actor. While the 31 IPs identified share similarities, this subset might be part of a separate operation utilizing specific tactics and tools.

Of course, all three of the above could be wrong. There may be a part 2 to this post.

Figure 10: One of the 12 servers using the ShadowPad certificate on port 53 

IP addresses and domains of this suspected cluster are below.

Table 1: Port 53 cluster IPs, domains, ASN, and certificate last seen dates

Theory #1 could be a possibility when looking at the domains in Table 1 compared to the rest. The following entities are being spoofed:

• • Microsoft
• • KazakhTelecom -- and Kazakhstan's largest telecom company.
• • Google
• • SuperMicro -- A US IT company with offices in The Netherlands & Taiwan.
• • Shaduruanjian -- Translates to "antivirus software" from Chinese.

Suspected Cluster #2:

I don't feel as strongly about this suspected cluster as the first, but it's interesting enough from the rest of the IPs that it's still worth putting out there for other researchers to dig into. All servers identified in Hunt share similar ports, 53, 80, etc., except for five, which only use port 443 for ShadowPad. The IPs in question are listed below.

Table 2: Smaller possible cluster using only port 443

Bonus

The spoofed Dell certificates weren't the only interesting information found when looking at this infrastructure. Many servers utilized a pattern of common names for RDP. For example, "iZ5qjajwc0tiohZ" was seen amongst 11 IPs and not associated with the port 53 cluster.

Additional RDP CNs are listed below.

Figure 11: First example of interesting RDP cert common name 

Figure 12: Another example of RDP cert 

Figure 13: Final example of similar RDP certificates 

Conclusion

Hopefully, you enjoyed this post highlighting how looking outside default detection signatures can unveil malicious infrastructure. While most servers relied on standard communication ports, an interesting subset of 12 IPs utilized an HTTP server on port 53, raising questions about targeted deployment or misconfigurations.

If you haven't already, apply for an account and join me in researching additional ShadowPad servers.

Remaining IPs/Domains