Tracking ShadowPad Infrastructure Via Non-Standard Certificates

Tracking ShadowPad Infrastructure Via Non-Standard Certificates

Published on

Published on

Published on

Feb 9, 2024

Feb 9, 2024

Feb 9, 2024

Tracking ShadowPad Infrastructure Via Non-Standard Certificates
Tracking ShadowPad Infrastructure Via Non-Standard Certificates
Tracking ShadowPad Infrastructure Via Non-Standard Certificates
TABLE OF CONTENTS

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.

Thanks to Greg & Cal for answering my questions regarding this infrastructure.

Out With The Old?

Stay with me if you're already familiar with detecting ShadowPad using the standard HTTP headers with Nginx servers and TLS certificates using my* fields.

ShadowPad is a modular trojan shared privately by several suspected state-linked Chinese threats since 2019. It has been used in network intrusions focused on espionage, information theft, and even financial gain.

See Figures 1 & 2 below for examples of recently identified ShadowPad infrastructure.

httpshuntioimagesblogsshadowpadimg-1-3xwebp
Figure 1: Common ShadowPad Nginx HTTP Response
httpshuntioimagesblogsshadowpadimg-2-3xwebp
Figure 2: Well-Known ShadowPad TLS Certificate 

*These servers and many more are tagged and available to Hunt users. Apply for an account today, and let us know what you think.

One could quickly start tracking servers with the above information (in addition to other factors such as provider, location, domains, etc. ) and add them to network blocklists. The only problem with this approach is that focusing on an oft-seen certificate will prevent defenders from missing minor changes to similar infrastructure.

Let's look at what made this set of IP addresses stand out from the others.

What's The Difference?

We've identified over 30 servers using the spoofed Dell certificate from across the internet. Note: The ports listed utilize the cert and do not indicate overall ports found on each IP address.

There are two ways to dig into this infrastructure: via the Advanced Search feature (below) or as part of the more extensive set of ShadowPad servers Hunt tracks, pictured in Figure 4.

httpshuntioimagesblogsshadowpadimg-3-3xwebp
Figure 3: Snippet of Advanced Search Results 
httpshuntioimagesblogsshadowpadimg-4-3xwebp
Figure 4: Tagging of ports using the Dell certificate in the Hunt platform 
httpshuntioimagesblogsshadowpadimg-5-3xwebp
Figure 5: Certificate For Subset of ShadowPad Infrastructure 

All fields of the certificate are listed below:

C=US, ST=Texas, L=Round Rock, O=Dell Technologies Inc., OU=Dell Data Vault, CN=Dell Technologies Inc.

httpshuntioimagesblogsshadowpadimg-6-3xwebp
Figure 6: Similar HTTP Headers Without the "Page Not Found" Text

The HTTP headers in Figure 6 should look familiar. When combined with the previously described additional factors and third-party intelligence (Recorded Future & VirusTotal), we have confirmation that we are on the trail of an actor(s) using ShadowPad.

Cracking The Dell Data Vault

None of the IP addresses identified as linked to the malware are consecutively assigned, which could indicate a threat actor purchasing the servers from a reseller. However, many are closely related, which shows a strong preference for one provider over others.

Figures 7 and 8 below show the providers making up the infrastructure, as well as the geolocations of the servers.

httpshuntioimagesblogsshadowpadimg-7-3xwebp
Figure 7: Providers used in this set of ShadowPad C2s (Brought to life by Plotly.py)
httpshuntioimagesblogsshadowpadimg-8-3xwebp
Figure 8: Geographical data of ShadowPad servers (Brought to life by Plotly.py)

Suspected Cluster #1

Ports utilized for likely C2 communication consist of common ports: 53, 80, 443, 8080, 8443, 44444. While port 53 is nothing new when discussing malware communicating with a controller, just 12 IPs out of the 30+ identified have the port exposed as an HTTP server with an Nginx header (Figure 9).

Without malware samples and additional information to analyze, this anomaly has three possible motives:

1 Targeted Deployment: Standard C2 ports are used for most servers. However, this subset could represent a high-value target, where leveraging port 53 is believed to bypass detection.

2 Possible Misconfiguration: This could be an unintentional mistake made during server setup.

3 Second or Third Actor: The servers using port 53 may belong to a separate actor. While the 31 IPs identified share similarities, this subset might be part of a separate operation utilizing specific tactics and tools.

Of course, all three of the above could be wrong. There may be a part 2 to this post.

httpshuntioimagesblogsshadowpadimg-9-3xwebp
Figure 9: Nginx header on port 53
httpshuntioimagesblogsshadowpadimg-10-3xwebp
Figure 10: One of the 12 servers using the ShadowPad certificate on port 53 

IP addresses and domains of this suspected cluster are below.

IP AddressDomainASNCert Last Seen
45.76.146.215app2[.]toggle2[.]comThe Constant Company2024-02-06
81.68.102.11N/ATencent2024-02-06
47.254.251.168N/AAlibaba (US)2024-01-30
139.180.188.54update[.]performed12.com\
www[.]fadfar[.]com\
kzb[.]performed12[.]com\
time[.]afsder[.]com\
updata[.]dsqueryonline[.]com\
microsoft[.]performed12[.]com\
updata[.]installation77[.]com\
az[.]performed12[.]com\
time[.]kkdiscover[.]com\
update[.]kkdiscover[.]com\
power[.]installation77[.]com\
The Constant Company2024-02-06
8.217.107.25N/AAlibaba (US)2024-02-05
38.60.193.62N/AKaopou Cloud HK2024-02-05
38.54.105.226microsoft[.]kiwi[.]nz\
www[.]kazakhtelecom[.]zzux[.]com\
kazakhtelecom[.]zzux[.]com\
google[.]org[.]im\
www[.]google[.]org[.]im\
turkeylahainasunset[.]com\
www[.]microsoft[.]kiwi[.]nz\
Kaopou Cloud HK2024-02-04
108.61.163.91czs[.]superdasqe[.]meThe Constant Company2024-02-06
47.243.60.4N/AAlibaba (US)2024-02-02
8.218.214.23N/AAlibaba (US)2024-02-02
8.218.248.158N/AAlibaba (US)2024-01-26
8.218.163.77mirco[.]supermirco[.]us\
mircoo[.]supermirco[.]usAlibaba (US)2024-02-04
47.242.52.22update[.]micro[.]gay\
ns[.]supermirco[.]us\
shaduruanjian8[.]com\
img[.]shaduruanjian8[.]com\
www[.]shaduranjian8[.]com\
m[.]shadurauanjian8[.]com\
update[.]imiul[.]com\
Alibaba (US)2024-02-06

Table 1: Port 53 cluster IPs, domains, ASN, and certificate last seen dates

Theory #1 could be a possibility when looking at the domains in Table 1 compared to the rest. The following entities are being spoofed:

    • Microsoft
    • KazakhTelecom -- and Kazakhstan's largest telecom company.
    • Google
    • SuperMicro -- A US IT company with offices in The Netherlands & Taiwan.
    • Shaduruanjian -- Translates to "antivirus software" from Chinese.

Suspected Cluster #2:

I don't feel as strongly about this suspected cluster as the first, but it's interesting enough from the rest of the IPs that it's still worth putting out there for other researchers to dig into. All servers identified in Hunt share similar ports, 53, 80, etc., except for five, which only use port 443 for ShadowPad. The IPs in question are listed below.

IP AddressDomainASNCert Last Seen
8.217.96.167N/AAlibaba (US)2024-01-28
149.28.135.145N/AThe Constant Company2024-01-24
45.76.84.222N/AThe Constant Company2024-01-31
45.32.127.56www[.]bernaspos[.]com\
bernaspos[.]com\
The Constant Company2024-01-31
185.81.114.45pitikytech[.]me\
mail[.]pitikytech[.]me\
HZ Hosting Ltd2024-01-18

Table 2: Smaller possible cluster using only port 443

Bonus

The spoofed Dell certificates weren't the only interesting information found when looking at this infrastructure. Many servers utilized a pattern of common names for RDP. For example, "iZ5qjajwc0tiohZ" was seen amongst 11 IPs and not associated with the port 53 cluster.

Additional RDP CNs are listed below.

httpshuntioimagesblogsshadowpadimg-11-3xwebp
Figure 11: First example of interesting RDP cert common name 
httpshuntioimagesblogsshadowpadimg-12-3xwebp
Figure 12: Another example of RDP cert 
httpshuntioimagesblogsshadowpadimg-13-3xwebp
Figure 13: Final example of similar RDP certificates 

Conclusion

Hopefully, you enjoyed this post highlighting how looking outside default detection signatures can unveil malicious infrastructure. While most servers relied on standard communication ports, an interesting subset of 12 IPs utilized an HTTP server on port 53, raising questions about targeted deployment or misconfigurations.

If you haven't already, apply for an account and join me in researching additional ShadowPad servers.

Remaining IPs/Domains

IP AddressDomainASNCert Last Seen
8.210.74.92N/AAlibaba (US)2024-01-31
8.218.17.11N/AAlibaba (US)2024-02-06
43.153.92.190N/ATencent2024-02-06
8.218.56.204api[.]sourcedata[.]kuwannba[.]comAlibaba (US)2024-02-06
8.217.0.193update[.]imjzo[.]comAlibaba (US)2024-02-06
8.218.244.117ayana[.]imiul[.]com\
icw[.]imiul[.]comAlibaba (US)2024-02-01
139.84.168.128update[.]alpha-els[.]comThe Constant Company2024-01-31
146.70.92.137N/AM247 Europe2024-01-28
8.217.84.192N/AAlibaba (US)2024-02-01
8.210.174.168N/AAlibaba (US)2024-02-04
8.210.168.192wagodo[.]imiul[.]comAlibaba (US)2024-02-01
8.210.134.47www[.]stdhgd[.]com\
wait[.]imiul[.]comAlibaba (US)2024-02-06
8.210.221.119N/AAlibaba (US)2024-01-29
8.218.128.35wapaku[.]imiul[.]comAlibaba (US)2024-02-02
8.218.213.245N/AAlibaba (US)2024-02-06
5.34.176.152foligni[.]it\
mails[.]foligni[.]itGreen Floid LLC2024-01-18
TABLE OF CONTENTS

This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.

Thanks to Greg & Cal for answering my questions regarding this infrastructure.

Out With The Old?

Stay with me if you're already familiar with detecting ShadowPad using the standard HTTP headers with Nginx servers and TLS certificates using my* fields.

ShadowPad is a modular trojan shared privately by several suspected state-linked Chinese threats since 2019. It has been used in network intrusions focused on espionage, information theft, and even financial gain.

See Figures 1 & 2 below for examples of recently identified ShadowPad infrastructure.

httpshuntioimagesblogsshadowpadimg-1-3xwebp
Figure 1: Common ShadowPad Nginx HTTP Response
httpshuntioimagesblogsshadowpadimg-2-3xwebp
Figure 2: Well-Known ShadowPad TLS Certificate 

*These servers and many more are tagged and available to Hunt users. Apply for an account today, and let us know what you think.

One could quickly start tracking servers with the above information (in addition to other factors such as provider, location, domains, etc. ) and add them to network blocklists. The only problem with this approach is that focusing on an oft-seen certificate will prevent defenders from missing minor changes to similar infrastructure.

Let's look at what made this set of IP addresses stand out from the others.

What's The Difference?

We've identified over 30 servers using the spoofed Dell certificate from across the internet. Note: The ports listed utilize the cert and do not indicate overall ports found on each IP address.

There are two ways to dig into this infrastructure: via the Advanced Search feature (below) or as part of the more extensive set of ShadowPad servers Hunt tracks, pictured in Figure 4.

httpshuntioimagesblogsshadowpadimg-3-3xwebp
Figure 3: Snippet of Advanced Search Results 
httpshuntioimagesblogsshadowpadimg-4-3xwebp
Figure 4: Tagging of ports using the Dell certificate in the Hunt platform 
httpshuntioimagesblogsshadowpadimg-5-3xwebp
Figure 5: Certificate For Subset of ShadowPad Infrastructure 

All fields of the certificate are listed below:

C=US, ST=Texas, L=Round Rock, O=Dell Technologies Inc., OU=Dell Data Vault, CN=Dell Technologies Inc.

httpshuntioimagesblogsshadowpadimg-6-3xwebp
Figure 6: Similar HTTP Headers Without the "Page Not Found" Text

The HTTP headers in Figure 6 should look familiar. When combined with the previously described additional factors and third-party intelligence (Recorded Future & VirusTotal), we have confirmation that we are on the trail of an actor(s) using ShadowPad.

Cracking The Dell Data Vault

None of the IP addresses identified as linked to the malware are consecutively assigned, which could indicate a threat actor purchasing the servers from a reseller. However, many are closely related, which shows a strong preference for one provider over others.

Figures 7 and 8 below show the providers making up the infrastructure, as well as the geolocations of the servers.

httpshuntioimagesblogsshadowpadimg-7-3xwebp
Figure 7: Providers used in this set of ShadowPad C2s (Brought to life by Plotly.py)
httpshuntioimagesblogsshadowpadimg-8-3xwebp
Figure 8: Geographical data of ShadowPad servers (Brought to life by Plotly.py)

Suspected Cluster #1

Ports utilized for likely C2 communication consist of common ports: 53, 80, 443, 8080, 8443, 44444. While port 53 is nothing new when discussing malware communicating with a controller, just 12 IPs out of the 30+ identified have the port exposed as an HTTP server with an Nginx header (Figure 9).

Without malware samples and additional information to analyze, this anomaly has three possible motives:

1 Targeted Deployment: Standard C2 ports are used for most servers. However, this subset could represent a high-value target, where leveraging port 53 is believed to bypass detection.

2 Possible Misconfiguration: This could be an unintentional mistake made during server setup.

3 Second or Third Actor: The servers using port 53 may belong to a separate actor. While the 31 IPs identified share similarities, this subset might be part of a separate operation utilizing specific tactics and tools.

Of course, all three of the above could be wrong. There may be a part 2 to this post.

httpshuntioimagesblogsshadowpadimg-9-3xwebp
Figure 9: Nginx header on port 53
httpshuntioimagesblogsshadowpadimg-10-3xwebp
Figure 10: One of the 12 servers using the ShadowPad certificate on port 53 

IP addresses and domains of this suspected cluster are below.

IP AddressDomainASNCert Last Seen
45.76.146.215app2[.]toggle2[.]comThe Constant Company2024-02-06
81.68.102.11N/ATencent2024-02-06
47.254.251.168N/AAlibaba (US)2024-01-30
139.180.188.54update[.]performed12.com\
www[.]fadfar[.]com\
kzb[.]performed12[.]com\
time[.]afsder[.]com\
updata[.]dsqueryonline[.]com\
microsoft[.]performed12[.]com\
updata[.]installation77[.]com\
az[.]performed12[.]com\
time[.]kkdiscover[.]com\
update[.]kkdiscover[.]com\
power[.]installation77[.]com\
The Constant Company2024-02-06
8.217.107.25N/AAlibaba (US)2024-02-05
38.60.193.62N/AKaopou Cloud HK2024-02-05
38.54.105.226microsoft[.]kiwi[.]nz\
www[.]kazakhtelecom[.]zzux[.]com\
kazakhtelecom[.]zzux[.]com\
google[.]org[.]im\
www[.]google[.]org[.]im\
turkeylahainasunset[.]com\
www[.]microsoft[.]kiwi[.]nz\
Kaopou Cloud HK2024-02-04
108.61.163.91czs[.]superdasqe[.]meThe Constant Company2024-02-06
47.243.60.4N/AAlibaba (US)2024-02-02
8.218.214.23N/AAlibaba (US)2024-02-02
8.218.248.158N/AAlibaba (US)2024-01-26
8.218.163.77mirco[.]supermirco[.]us\
mircoo[.]supermirco[.]usAlibaba (US)2024-02-04
47.242.52.22update[.]micro[.]gay\
ns[.]supermirco[.]us\
shaduruanjian8[.]com\
img[.]shaduruanjian8[.]com\
www[.]shaduranjian8[.]com\
m[.]shadurauanjian8[.]com\
update[.]imiul[.]com\
Alibaba (US)2024-02-06

Table 1: Port 53 cluster IPs, domains, ASN, and certificate last seen dates

Theory #1 could be a possibility when looking at the domains in Table 1 compared to the rest. The following entities are being spoofed:

    • Microsoft
    • KazakhTelecom -- and Kazakhstan's largest telecom company.
    • Google
    • SuperMicro -- A US IT company with offices in The Netherlands & Taiwan.
    • Shaduruanjian -- Translates to "antivirus software" from Chinese.

Suspected Cluster #2:

I don't feel as strongly about this suspected cluster as the first, but it's interesting enough from the rest of the IPs that it's still worth putting out there for other researchers to dig into. All servers identified in Hunt share similar ports, 53, 80, etc., except for five, which only use port 443 for ShadowPad. The IPs in question are listed below.

IP AddressDomainASNCert Last Seen
8.217.96.167N/AAlibaba (US)2024-01-28
149.28.135.145N/AThe Constant Company2024-01-24
45.76.84.222N/AThe Constant Company2024-01-31
45.32.127.56www[.]bernaspos[.]com\
bernaspos[.]com\
The Constant Company2024-01-31
185.81.114.45pitikytech[.]me\
mail[.]pitikytech[.]me\
HZ Hosting Ltd2024-01-18

Table 2: Smaller possible cluster using only port 443

Bonus

The spoofed Dell certificates weren't the only interesting information found when looking at this infrastructure. Many servers utilized a pattern of common names for RDP. For example, "iZ5qjajwc0tiohZ" was seen amongst 11 IPs and not associated with the port 53 cluster.

Additional RDP CNs are listed below.

httpshuntioimagesblogsshadowpadimg-11-3xwebp
Figure 11: First example of interesting RDP cert common name 
httpshuntioimagesblogsshadowpadimg-12-3xwebp
Figure 12: Another example of RDP cert 
httpshuntioimagesblogsshadowpadimg-13-3xwebp
Figure 13: Final example of similar RDP certificates 

Conclusion

Hopefully, you enjoyed this post highlighting how looking outside default detection signatures can unveil malicious infrastructure. While most servers relied on standard communication ports, an interesting subset of 12 IPs utilized an HTTP server on port 53, raising questions about targeted deployment or misconfigurations.

If you haven't already, apply for an account and join me in researching additional ShadowPad servers.

Remaining IPs/Domains

IP AddressDomainASNCert Last Seen
8.210.74.92N/AAlibaba (US)2024-01-31
8.218.17.11N/AAlibaba (US)2024-02-06
43.153.92.190N/ATencent2024-02-06
8.218.56.204api[.]sourcedata[.]kuwannba[.]comAlibaba (US)2024-02-06
8.217.0.193update[.]imjzo[.]comAlibaba (US)2024-02-06
8.218.244.117ayana[.]imiul[.]com\
icw[.]imiul[.]comAlibaba (US)2024-02-01
139.84.168.128update[.]alpha-els[.]comThe Constant Company2024-01-31
146.70.92.137N/AM247 Europe2024-01-28
8.217.84.192N/AAlibaba (US)2024-02-01
8.210.174.168N/AAlibaba (US)2024-02-04
8.210.168.192wagodo[.]imiul[.]comAlibaba (US)2024-02-01
8.210.134.47www[.]stdhgd[.]com\
wait[.]imiul[.]comAlibaba (US)2024-02-06
8.210.221.119N/AAlibaba (US)2024-01-29
8.218.128.35wapaku[.]imiul[.]comAlibaba (US)2024-02-02
8.218.213.245N/AAlibaba (US)2024-02-06
5.34.176.152foligni[.]it\
mails[.]foligni[.]itGreen Floid LLC2024-01-18

Related Posts:

Announcing Hunt SQL
Oct 3, 2024

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Announcing Hunt SQL
Oct 3, 2024

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection  | Hunt.io
Oct 1, 2024

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection  | Hunt.io
Oct 1, 2024

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory
Sep 24, 2024

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory
Sep 24, 2024

Check out our new blog post on exposed files found in an open directory that reveal an attack with overlapping TTPs linked to the Stargazers network.

Announcing Hunt APIs
Sep 17, 2024

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Announcing Hunt APIs
Sep 17, 2024

Today Hunt is announcing our IP Enrichment API. You can get detailed data on every IPv4 Address and enrich any existing system.

Announcing Hunt SQL
Oct 3, 2024

We’re excited to release Hunt SQL and to provide the power and flexibility of SQL to researchers, analysts and threat hunters alike. 

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection  | Hunt.io
Oct 1, 2024

Unboxing the Threat: How Malicious Python Scripts Use the BoxedApp SDK to Evade Detection | Hunt.io