October 27, 2020

Introduction

In July 2020, we released a study of targeted attacks on state institutions in Kazakhstan and Kyrgyzstan with a detailed analysis of malware found in compromised networks. During the investigation, Doctor Web specialists analyzed and described several groups of trojan programs, including new samples of trojan families already encountered by our virus analysts, as well as previously unknown trojans. The most notable discovery was the samples of the XPath family. We were also able to find evidence that allowed us to link two initially independent incidents. In both cases, the attackers used a similar selection of malware, including the same specialized backdoors that infected domain controllers in the attacked organizations.

During the examination, analysts studied samples of PlugX multi-module backdoors used for initial penetration into the network infrastructure. The analysis showed that certain PlugX modifications used the same domain names of C&C servers, as did other backdoors related to targeted attacks on Central Asian state institutions. The detection of the PlugX programs indicates Chinese APT groups are possibly involved in these incidents.

According to our data, the unauthorized presence in both networks lasted for more than three years, and several hacker groups could be behind the attacks. Investigations of such complex cyber incidents involve long-term work, so they are rarely covered by a single article.

The Doctor Web virus laboratory received new samples of malware found on the infected computers in the local network of a state institution in Kyrgyzstan.

In addition to the malware described in the previous article, the ShadowPad backdoor deserves particular attention. Various modifications of this malware family are a well-known tool of the Winnti APT group, presumably of Chinese origin, active since at least 2012. It is noteworthy that the Farfli backdoor was also installed on computers along with ShadowPad, and both programs referred to the same C&C server. Additionally, we uncovered several PlugX modifications on the same computer.

In this study we analyzed the algorithms of the detected backdoors. Special attention is paid to the code similarities between the ShadowPad and PlugX samples, as well as to some intersections in their network infrastructure.

List of detected malware

The following backdoors were found on the infected computer:

For further research, we found and analyzed other samples of the ShadowPad family in order to perform a detailed examination of the similarities between the ShadowPad and PlugX backdoors:

• BackDoor.ShadowPad.3
• BackDoor.ShadowPad.4 — a modification of ShadowPad that was part of a self-extracting WinRAR dropper. It loaded an atypical for this family module in the form of a DLL library.

A thorough study of ShadowPad samples and their comparison with previously studied PlugX modifications indicates a high similarity in the operation principles and modular structures of the backdoors from both families. These malicious programs are united not only by the general concept, but also by the nuances of the code: certain development techniques, ideas, and technical solutions are nearly identical. An important point is that both backdoors were located in the compromised network of a state institution in Kyrgyzstan.

For a detailed description of the malware used and how it works, see the PDF-version of the study or the Dr.Web Virus Library.

• BackDoor.ShadowPad.1
• BackDoor.ShadowPad.3
• BackDoor.ShadowPad.4
• BackDoor.Farfli.122
• BackDoor.Farfli.125
• BackDoor.Siggen2.3243

Conclusion

The available data allow us to conclude that these families are related in terms of simple code borrowing or the development of both programs by one author or a group of authors. In the second case, it is very likely that ShadowPad is an evolution of PlugX as a newer and more advanced APT tool. The storage format of the malicious modules used in the ShadowPad makes it much more difficult to detect them in RAM.

Indicators of compromise.