• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
April 13, 2022
Rewterz Threat Advisory – Multiple Microsoft Patch Tuesday Vulnerabilities
April 13, 2022

Rewterz Threat Alert – ShadowPad RAT – Active IOCs

April 13, 2022

Severity

High

Analysis Summary

ShadowPad is a RAT (Remote Access Trojan) that being used frequently by several Chinese state-sponsored Threat actors. The activity using ShadowPad is also linked to the MSS (Chinese Ministry of State Security) and the People’s Liberation Army (PLA). It is mostly a two-file execution malware; a DLL loader containing a ShadowPad payload embedded in it. Threat actors using ShadowPad are targeting South Korea, India, Japan, Ukraine, Russia, and Mongolia. One such group is TAG-38 which has recently targeted Indian power grid assets.

Observed timeline of ShadowPad execution, service creation, and payload injection on a compromised network.

Impact

  • Unauthorized Access
  • Financial Theft
  • Information Theft

Indicators of Compromise

Domain Name

  • vsmrcil[.]casacam[.]net
  • exat[.]dnset[.]com
  • dprouds[.]casacam[.]net
  • secupdate[.]kozow[.]com

IP

  • 172[.]197[.]18[.]30
  • 172[.]200[.]21[.]190

MD5

  • 9d686ceed21877821ab6170a348cc073
  • 27d889c351ac2f48d31b91d06061ec8d
  • 17e812958704f4ced297731ce47de020
  • fac0b4fe5372d76607c36ccb51e6b7bb
  • 17268032c7562fa9473bb85018cb1c2c

SHA-256

  • 9c28c1b2ff0a84c8b667f128626f28b173feb07481192e214b5a29b98964a7f9
  • d48e671df571b76ee94c734bdd5272e12fcd1362f1d75138ff547bc2bc0c31ef
  • 0942f4a488899d5d78b31a0065e49c8689ccda88efc28186e29ee76861ba99da
  • 4557e923602730aab7718b61eeaf3a93edd0339a3c89c8f7061b9818c2df5203
  • bf3de88459f85ddd85245e3f1ce3bba6568919bbe46a808ad5d94d5415014926

SHA-1

  • 3ebeb4e08c82b220365b1e7dd0cc199b765eed91
  • f5b7ea5e705655a1bc08030b601443088a5af4dd
  • 57b5ca13d7b2dd9287bdda548ccf7b21c1201464
  • 952614358b37d2a519d66ee7759c70e31218ed36
  • 3d1ae0779b304a8d54df142933158417440ca3f

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.