Rectifyq📃Title: Attacks on industrial control systems using ShadowPad
📅Date: 2022-06-27
🔗References:
Description
In mid-October 2021 researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. Infected machines included engineering computers in building automation systems that are part of the infrastructure of a telecommunications company.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: intrusion-analysis
- target: targeted
- MY-relevancy: relevant
- topic: ics-ot
🔖MISP Galaxies:
- target-information=“Pakistan”
- target-information=“Afghanistan”
- target-information=“Malaysia”
- producer Kaspersky
- malpedia=“ShadowPad”
- sector=“Logistic”
- sector=“Manufacturing”
- sector=“Telecoms”
- sector=“Transport”
- malpedia=“MimiKatz”
- malpedia=“Cobalt Strike”
- malpedia=“PlugX”
- threat-actor HAFNIUM
- sector=“Industrial”
- mitre-attack-pattern=[‘T1560.002’, ‘T1119’, ‘T1020’, ‘T1197’, ‘T1574.002’, ‘T1005’, ‘T1140’, ‘T1041’, ‘T1567.002’, ‘T1090.002’, ‘T1083’, ‘T1564.001’, ‘T1090.001’, ‘T1114.001’, ‘T1046’, ‘T1059.001’, ‘T1012’, ‘T1053.005’, ‘T1132.001’, ‘T1071.001’, ‘T1222.001’, ‘T1047’]
MISP event uuid: cc95784f-b4fb-49b4-8f6b-f5602e79675d
Indicator of Compromise (IoCs)
type,value,comment
md5, 1a5856c343597dc219e3f5456018612b, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 011beaf3e9cd2896479313772cd591de, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, a7f3bf89f0b41704f185545c784b8457, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 35912c914bd84f23203c8fadac6d0548, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 299980c914250bac7522de849f6df24f, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 381616642d2567f8872b150b37e5196b, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 31fdae0b71c290440e0b465b17cf3c8d, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 420fcf11240589e8d29daab08251831d, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 40cd646554ed42d385ca6b55b9d3397d, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 61ba23b3b3d132fe0825907c0ea58399, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 0cac537476fd71763c07edfd7d831f0f, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 80ee7a1e9ad4ac6afcac83087dc5360f, 'ShadowPad No sample in VT\r\nLast check:23/02/2025'
md5, 74e43eca18e8c92cb332bbb671ce13b8, 'Bat file for credential theft No sample in VT\r\nLast check:23/02/2025'
md5, 8ee863c926d6847d1bf767783e700248, 'Nextnet No sample in VT\r\nLast check:23/02/2025'
url, https://order.cargobussiness.site/, 'ShadowPad C&C'
url, https://documents.kankuedu.org/, 'ShadowPad C&C'
url, https://live.musicweb.xyz/, 'ShadowPad C&C'
url, https://obo.videocenter.org/, 'ShadowPad C&C'
url, https://tech.obj.services/, 'ShadowPad C&C'
url, https://houwags.defineyourid.site/, 'ShadowPad C&C'
url, https://noub.crabdance.com/, 'ShadowPad C&C'
url, https://grandfoodtony.com/, 'ShadowPad C&C'
hostname, storage.ondriev.tk, 'CobaltStrike hosting and C&C'
ip-dst, 116.206.92.26, 'CobaltStrike hosting and C&C'
hostname, api.onedriev.tk, 'CobaltStrike hosting and C&C'
ip-dst, 69.172.80.131, 'CobaltStrike hosting and C&C'
Full IOCs available in Rectifyq's MISP```