In a concerning incident, an unidentified hacker group targeted various entities in Pakistan using the Shadowpad malware. Cybersecurity firm Trend Micro discovered that a government agency, state bank, and telecommunications provider were compromised.
A Supply-Chain Attack
Researchers suspect that this attack may have been executed through a supply-chain strategy. This involves hackers compromising third-party software to gain unauthorized access to their desired targets.
The hackers manipulated a Microsoft installer developed by a Pakistani government entity for the E-Office app—a platform designed exclusively for government bodies to facilitate paperless operations.
It is important to note that this app is not publicly available but intended only for authorized use within governmental agencies. The researchers believe that these actions further support their theory of it being a supply-chain attack.
By adding three files to the legitimate Microsoft installer, the hackers successfully injected malicious code into unsuspecting systems.
Shadowpad: An Advanced Malware
Shadowpad is an advanced malware family initially discovered in 2017 after infiltrating CCleaner—an influential computer cleanup tool—through another supply-chain attack. It is widely believed that APT41 or Barium—a Chinese espionage threat actor—is behind its development.
While there isn’t enough evidence yet to attribute this specific attack directly to any known threat actor, considering the perpetrators’ access to an up-to-date version of Shadowpad suggests possible links with Chinese threat groups according to Trend Micro’s analysis.
Since 2019, multiple Chinese hacking groups like Earth Akhlut or Earth Lusca have utilized Shadowpad as part of their espionage activities. Thus making attribution complex due to its shared nature among different actors.
Connection with Calypso Hacking Group
Researchers found traces of multiple malware families associated “with high confidence” with the Chinese hacking group named Calypso within one victim’s environment.
In June, a previously unknown Chinese-speaking threat actor exploited a vulnerability in Microsoft Exchange Server to target the telecommunications, manufacturing, and transport sectors in Afghanistan, Malaysia, and Pakistan. The attack employed Shadowpad malware as its primary weapon.
During these targeted attacks, the hackers disguised the Shadowpad backdoor as legitimate software while surreptitiously downloading it onto compromised computers.
“The authors of Shadowpad continuously enhance their malware to make reverse engineering more challenging,” stated the researchers. “We anticipate that future threat actors will utilize this updated version of Shadowpad.”
As cybersecurity threats evolve rapidly, it is crucial for organizations and governments to remain vigilant against such sophisticated attacks. By staying informed and adopting robust security measures, we can collectively defend against malicious activities in an increasingly interconnected world.
Learn here more about Cybersecurity and Privacy.