Impacket
Impacket stands for a set of Python modules designed to manage network protocols. Our observation flagged the application of WmiExec from the Impacket toolbox to link with remote hosts.
Extraction of Active Directory databases
Although the specific tool remains unidentified (most likely NTDSUtil), the malicious actor generated files labeled aaaa.dit, presumably housing the Active Directory database content, which could then be exploited for offline decryption of passwords.
In both of our incident response inquiries, we came across only one domain name employed by Shadowpad as a Command & Control (C&C) server. For all other Shadowpad loaders we analyzed, our attempts to retrieve the associated encoded payload and consequently, the relevant C&C data, proved unsuccessful.
This domain is updata.dsqurey[.]com. By scrutinizing the infrastructure, we succeeded in uncovering additional IP addresses. In total, we identified 3 more domain names, reaching up to 10 if taking into account the subdomains.
Several of these domain names were linked to distinct Shadowpad instances and to a blogpost discussing parallel Tactics, Techniques, and Procedures (TTPs) that echoed our observations, further solidifying the assumption of their connection to this threat actor.
These domains are detailed in the IOC segment.
Attribution
We did not uncover strong enough proof to associate this operation with previous campaigns or a recognized threat actor. Two weak connections pointed toward the Teleboyi threat actor, which we will elaborate on below.
PlugX source code overlap
PlugX has been known since at least 2008, deployed in multiple targeted assaults, typically by Chinese threat actors. Over time, its usage expanded to a broader range of assaults. It is believed that Shadowpad is the evolution of PlugX.
Within Virus Total, we stumbled upon a PlugX example connecting to the domain name bcs[.]dsqurey[.]com. One of the Shadowpad samples linked to this case was tethered to updata[.]dsqurey[.]com.
The PlugX specimen implements a bespoke algorithm for ciphering strings.
In their presentation at JSAC (slide 27), TeamT5 depicts TeleBoyi’s custom PlugX loader as utilizing a similar algorithm for deobfuscating strings. TeamT5 also links “Operation Harvest” to Teleboyi in their summary. The McUtil.dll PlugX loader (SHA-256: f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498) identified in the Operation Harvest blogpost showcases a closely related string deciphering algorithm. Another resemblance is the PE icon of the PlugX sample, one among the icons cataloged by TeamT5. Based on these findings, we can confidently affirm that this PlugX sample is linked to Teleboyi.
However, our investigation uncovered that the dsqurey[.]com domain name was initially registered on 2018-03-27, expired in late March 2022, and then re-registered on 2022-06-23. It remains uncertain whether the domain was reclaimed by the same threat actor or if it was acquired by a different one. Hence, we consider the association with Teleboyi to be tenuous.
Infrastructure correlation
In January 2024, 108.61.163[.]91 was resolved to dscriy.chtq[.]net, a domain we tie to this threat actor.
In May 2022, a resolution led to sery.brushupdata[.]com, a domain listed in Operation Harvest.
We perceive the link with Teleboyi as marginal, as there is an interval of one and a half years between the two resolutions.
Appreciations
We extend our gratitude to our European incident response and APT-OPS teams, along with Fernando Mercês, for their support in this investigation.
We also appreciate the insights provided by the Orange Cyberdefense CERT regarding the ransomware lineage.
Trend Vision One™
Trend Vision One™ represents an advanced cybersecurity platform catering to organizations, streamlining security procedures, and aiding in the rapid identification and mitigation of threats through the consolidation of diverse security features. It empowers firms to have greater control over their vulnerability landscape while offering full visibility into their cyber jeopardy status. Leveraging AI and threat intelligence from 250 million sensors and 16 threat research hubs globally, this cloud-based platform delivers comprehensive risk insights, early threat detection, and automated responses to risks and threats within a unified interface.
Trend Vision One Threat Intelligence
To stay ahead of evolving threats, customers using Trend Vision One can access various Intelligence Reports and Threat Insights within the platform. These Threat Insights assist in proactively preparing for upcoming threats by furnishing thorough information on threat actors, their illicit activities, and methodologies. By leveraging this intelligence, organizations can take preemptive measures to fortify their ecosystems, mitigate risks, and mount effective responses to threats.
Trend Vision One Search App
Trend Vision One users can deploy the Search App to match or track the malevolent indicators mentioned in this write-up within their data repositories.
Keep a watch for connections to Shadowpad C&C domains
eventSubId:(203 OR 204 OR 301 OR 602 OR 603) AND (“updata.dsqurey.com”)
Additional search parameters are accessible to Vision One customers with Threat Insights Entitlement enabled.
Indicators Of Compromise
You can find the indicators of compromise related to this article here.
About Author
