Rectifyq📃Title: Updated Shadowpad Malware Leads to Ransomware Deployment
📅Date: 2025-02-20
🔗References:
Description
A recent investigation revealed Shadowpad malware being used to deploy a new ransomware family in Europe. The threat actor targeted 21 companies across 15 countries, primarily in the manufacturing sector. Access was gained through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication. The Shadowpad malware showed enhancements in anti-debugging techniques and encryption methods. Unusually, a previously unreported ransomware was deployed in some cases, mimicking the appearance of Kodex Evil Extractor but with different functionality. The attackers also used tools like CQHashDumpv2 and Impacket for post-exploitation activities. While attribution remains uncertain, there are weak links to the Teleboyi threat actor.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: malware-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer Trend-Micro
- malpedia=“ShadowPad”
- threat-actor APT41
- target-information=“Argentina”
- target-information=“France”
- target-information=“India”
- target-information=“Italy”
- target-information=“Kazakhstan”
- target-information=“Malaysia”
- target-information=“Myanmar”
- target-information=“Philippines”
- target-information=“Spain”
- target-information=“Thailand”
- target-information=“Turkey”
- target-information=“United Kingdom”
- mitre-attack-pattern=[‘T1003’, ‘T1082’, ‘T1219’, ‘T1055’, ‘T1021’, ‘T1112’, ‘T1016’, ‘T1087’, ‘T1070’, ‘T1083’, ‘T1057’, ‘T1110’, ‘T1078’, ‘T1027’, ‘T1486’, ‘T1012’, ‘T1485’, ‘T1134’, ‘T1490’]
MISP event uuid: 10c081ae-38e5-4278-bec4-54debb50add4
Indicator of Compromise (IoCs)
type,value,comment
hostname, updata.dsqurey.com, ''
hostname, time.dsqurey.com, ''
hostname, dscriy.chtq.net, ''
hostname, system.chtq.net, ''
hostname, updata.chtq.net, ''
hostname, network.oossafe.com, ''
hostname, notes.oossafe.com, ''
hostname, caba.superdasqe.me, ''
hostname, ccs.superdasqe.me, ''
hostname, czs.superdasqe.me, ''
hostname, kzb.superdasqe.me, ''
sha256, 8d44f2f442ca8f2fbbf75086a6f8d518c300ca93fe9957a9716076919b475865, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, 83c1a668ab06f55e6879593ca24eed9f78832be97ac90bb74ef5828067f2d900, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, 28e6362ecf033b2a26c7457dcbd7ad2ab34e253fb08666d39073391a1254ea41, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, 7416f6b69b34b3a36a86e50808e1dc47f4dc665bfd6f394cef65e0ba5eaf961b, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, d74b6b2129936377aaccc619bcfd4df4ffbe2f35f960a4b043b23ae78a31ec35, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, 366ea3377eaefa28b655b530710c03fb2ace67bb531b1820e916cb02023892ba, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, f8915c5be0649642dac22572355f1462972f5087471f66f6a243f2374b208eb8, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, 625ed0e0ad7d3fbf2738349c767a7990c9f0d388de66104e11df3e0c4632033c, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, 431a630983cd327fc70ea49b3a5497a179dbde19d8f13d2cfceef4e47613024b, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, e1d72b0cfc3342b8a6436e3047c3cc54246c346ac179e459d07620d192ba6e01, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, fa7f2ddf91980d639a87465bd2a38eaa44d6079b11ace3b2b3dff03caed66de5, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, b28bc39e569aa0cfe984c341830cb037c5305877ba22a940c3bdaeb43ca87878, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, 571607c7f55c3616e4c58db15e3d55317da10294dbc10e0cd1ed24879b8fc051, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, bc5b2ef81593095696433877cccb0ab75ef942258ef4795de5538df842d952f4, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, fa3a3351cd55089d40a7311e4bfaf15e4247416f78383d94ad58809467429b3e, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
sha256, 2df4c7bfa608ca88d9d659358894226910850ac0d7e566c6c10ec2727361d47b, 'Shadowpad loaders No sample in VT\r\nLast check:22/02/2025'
Full IOCs available in Rectifyq's MISP```