Trend Micro has discovered a sample of Shadowpad, a sophisticated backdoor used by various Chinese-sponsored threat actors, in an application built by the National Information Technology Board (NITB), a Pakistani government entity.
In research published on July 14, 2023, Daniel Lunghi and Ziv Chang, two threat analysts working for the Japanese cybersecurity provider, analyzed the Microsoft Windows installer of E-Office, an e-administration application developed by the NITB and exclusively used by Pakistani government organizations.
One of the three files launched by the installer, mscoree.dll, appeared to be a Shadowpad payload.
Shadowpad is a modular backdoor discovered in 2017 after a supply-chain attack on a popular piece of server management software attributed to APT41 (aka Wicked Panda and Bronze Atlas), a Chinese dual espionage and cybercrime threat actor.
Since 2019, this malware has been shared among multiple Chinese threat actors, such as Earth Akhlut or Earth Lusca.
Therefore, Trend Micro said that campaign could be potentially linked to the “nexus” of Chinese threat actors, but could not attribute to a particular group with confidence.
All Samples Used the Same Techniques
When analyzing the E-Office installer files, the Trend Micro researchers found the threat actor added code that checks some bytes of the loading executable at a hard-coded offset to verify that they match a particular value. If this is not the case, the DLL closes itself.
If it is the case, the rest of the code is obfuscated with two techniques: one prevents the disassembler from statically following the code flow, making static analysis extremely difficult, and the other adds useless instructions and branches that are never taken in order to confuse any malware analyst.
Several Shadowpad samples were found with these two obfuscation techniques.
The encryption scheme of this campaign was different from what has been used previously, with the threat actor encrypting each Shadowpad backdoor configuration sample with the same algorithm. Historically, each sample was encrypted with a different algorithm.
These technical elements could mean that the same threat actor is likely behind all of the samples found by Trend Micro, although the researchers do not make such a claim.
Three Pakistani Targets
The researchers found three targets, all in Pakistan.
The first victim we found was a Pakistan government entity. Trend Micro confirmed that the Shadowpad sample landed on the victim after executing the backdoored E-Office installer on September 28, 2022.
The second victim was a Pakistani public sector bank. In this incident, different Shadowpad samples were detected on September 30, 2022, after E-Office was installed, and Trend Micro could not retrieve the related E-Office installer.
Other related Shadowpad samples were detected at a Pakistani telecommunications provider in May 2022. Later analysis showed that one had been there since mid-February 2022, but the researchers could not find the infection vector for this incident.
The fact that the E-Office “is intended for government entities only and is not publicly available enforces our belief that the incident could be a supply-chain attack,” Lunghi and Chang concluded.