ShadowPad is a modular malware platform privately shared with multiple PRC-linked threat actors since 2015. According to SentinelOne, ShadowPad is highly likely the successor to PlugX. Due to its prevalence in the cyber espionage field, the VMware Threat Analysis Unit (TAU) was motivated to analyze the command and control (C2) protocol to discover active ShadowPad C2s on the Internet.
C2 Protocol
ShadowPad supports six C2 protocols: TCP, SSL, HTTP, HTTPS, UDP, and DNS. In this research, TAU focuses on TCP/HTTP(S)/UDP protocols as others like SSL and DNS are not likely utilized by the recent ShadowPad samples.
The format and encoding algorithm is different between TCP and HTTP(S)/UDP.
Table 1: Difference in packet format
| TCP | HTTP(S)/UDP | |
| Key size | 4 | 2 |
| Header size | 0x14 | 8 |
| Payload size in the initial handshake packet | Up to 0x3F | HTTP(S): Up to 0x1F,
UDP: 0x10 |
The key for the encoding is included in the header. Every integer value in the header is in big endian. Randomly-sized data will be appended as the payload to the initial handshake packet in both cases.
The immediate values used by the encoding algorithms are different per variant (probably per ShadowPad builder version). Analysis was performed on three ShadowPad variants, which TAU was able to collect in August 2021, as displayed in Table 2. The SHA256 hash values are included in the Indicators of Compromise section below.
Table 2: Analyzed ShadowPad variants
| Variant name | C2 protocol | Config size | Attribution | Source |
| Variant1
(aka ScatterBee) |
TCP/UDP | 0x896 | APT41 | Positive Technologies |
| Variant2 | HTTP(S) | 0x85C | Tonto Team | ESET |
| Variant3 | HTTP(S) | 0x85C | unknown | Positive Technologies |
TCP Protocol
Analysis was performed to fully detail the C2 protocol. The TCP protocol header format is displayed as follows.
| struct struc_common_header
{ __int32 session_key; __int32 plugin_and_cmd_id; // plugin_id (0x68) << 16 + cmd_id (0x51) __int32 module_code; // 0 __int32 payload_size_compressed; __int32 payload_size_original; }; |
The header format has been the same since first analyzed in 2015. The session_key is randomly generated and then used for encoding both the header and payload. The plugin_id and cmd_id values included in the plugin_and_cmd_id field have been updated by variants, some of which are covered in this paper. The values in the initial packet created by Variant1 should be 0x68 (Online plugin) and 0x51 (check-in). The module_code of the initial packet generated by the sender is always 0 (zero).
If any payload data exists, it will be compressed with the QuickLZ algorithm. QuickLZ is an older, publicly available compression routine that is not commonly seen. The client generates randomly-sized null bytes (up to 0x3F bytes) for the initial packet payload.
The Variant1’s encoding algorithm for the TCP packet in Python is displayed in Figure 1. Based on the protocol analysis results of Variant2 and Variant3, variants of this malware are expected to contain unique immediate values instead of 0x22F4B1BA for the TCP packet encoding.
Figure 1: TCP packet encoding by Variant1
After the initial handshake, Variant1 executes the commands of the plugins specified by the C2 server. For more details, review the Dr.WEB white paper explaining the individual command IDs and payload formats. The variant analyzed in the paper is older than Variant1 but the formats should be similar.
HTTP(S) and UDP Protocols
The header format for the HTTP(S) and UDP protocols is listed below. In HTTP(S), the data is sent through the POST method.
| struct struc_proto_header
{ __int16 session_key; __int16 type; // 0 in HTTP, req=0x1001/res=(0x2002|0x5005) in UDP __int16 session_src_id; // random 2 bytes, generated by both client/server __int16 session_dst_id; // req=0, res=client’s session_src_id }; |
The session_key has the same role as the TCP session_key though the key size is different. The second field type is always 0 (zero) in the HTTP initial packet while the UDP client and server send 0x1001/0x2002/0x5005. The session_src_id field is randomly generated by both client/server. The value sent by the client will be set in the session_dst_id field on the server side.
The initial packet payload data are randomly generated based on QueryPerformanceCounter and other APIs. The HTTP payload size is also random with a length of up to 31 (0x1F) bytes while the UDP one is fixed at 16 (0x10) bytes.
Each of the three Variant encoding algorithms in Python is shown below. The immediate values in the code are different, but the algorithm itself is identical.
Figure 2: UDP packet encoding by Variant1
Figure 3: HTTP(S) packet encoding by Variant2
Figure 4: HTTP(S) packet encoding by Variant3
After the initial handshake, the payload will contain the same data structure as the TCP packet (struc_common_header and its QuickLZ-compressed payload) explained in the previous section while the type field value in the struc_proto_header will be incremented.
Scanner Implementation
TAU decided on the following target protocols/ports based on the configurations extracted from the recent ShadowPad samples. As explained earlier, the scanner per variant had to be implemented due to the difference in immediate values used in the encoding.
Table 3: Target protocols/ports
| Scanning start period | Target protocol/port/variant |
| September 2021 | HTTP/443 (Variant2 & Variant3) |
| October 2021 | TCP/443 & UDP/53 (Variant1) |
| June 2022 | UDP/443 (Variant1), HTTP/80 (Variant3) |
The following flow chart shows how the ShadowPad C2 servers are detected by the scanners.
Figure 5: ShadowPad C2 detection flow
Similar to our Winnti 4.0 C2 scanning research, first the list of hosts open at targeted ports are created by ZMap. Then the scanner sends the ShadowPad-formatted packets to all IP addresses on the list. Next, the scanner checks that the response packet size is at least more than the header size and the session_key is different from the sending one to exclude honeypots. If the size and key look to be valid, the scanner decodes the response packet. In TCP protocol, the scanner validates the payload size fields (payload_size_compressed and payload_size_original). In HTTP(S) and UDP protocols, the code verifies if the type field value is correct and the response’s session_dst_id is matched with the session_src_id created by the scanner.
The following output log shows that eight Variant1 TCP servers were discovered by scanning the list of TCP/443 open hosts generated by ZMap. The command_id 0x53 from the C2s is a request to send system information of the infected host.
| 2022/06/xx xx:00:02,log file opened: scan_results/sp_scan_auto_202206xx_xxxxxx.csv
2022/06/xx xx:00:05,malware options: family = ShadowPad; targeted protocol = tcp (version = Variant1) 2022/06/xx xx:00:09,ShadowPad specific options: version = Variant1; key size = 4; key endian = big; header size = 0x14; Online plugin ID = 0x68; CMD ID = 0x51; module code = 0x0 2022/06/xx xx:00:16,51576779 open hosts read from corpus/2022-xx-xx_zmap22000ppsVPN_tcp_443.saddr 2022/06/xx xx:43:46,45.137.10.3,active,compressed payload size matched (plugin_id=0x68, command_id=0x53, payload=None) 2022/06/xx xx:40:28,45.32.248.92,active,compressed payload size matched (plugin_id=0x68, command_id=0x53, payload=None) ..[SKIPPED].. 2022/06/xx xx:01:05,43.129.188.223,active,compressed payload size-matched (plugin_id=0x68, command_id=0x53, payload=None) 2022/06/xx xx:48:35,51576779 scanned in 1 day, 17:48:32.497550 2022/06/xx xx:48:35,8 suspicious/active servers found (DB new=4 update=4) |
In order to detect the Variant2/Variant3 C2 servers TAU just uses the HTTP protocol scanner, not the HTTPS one, because the ShadowPad C2s can accept multiple protocol requests at a single port. TAU noticed the unique feature by extracting the C2 server configurations from the sample (SHA256: d011130defd8b988ab78043b30a9f7e0cada5751064b3975a19f4de92d2c0025).
| [*] config size = 0x85c
.. [+] C2 Entry 0 (offset 0xbc): ‘HTTPS://wwa1we.wbew.amazon-corp.wikaba.com:443’ [+] C2 Entry 1 (offset 0xed): ‘HTTP://wwa1we.wbew.amazon-corp.wikaba.com:443’ .. |
The hostnames and ports in the entries matched exactly but the protocols were different. In fact, TAU could verify that another active ShadowPad C2 can accept both protocols at the same port.
| $ ./c2fs.py -d -l corpus/query.txt -p 443 -f sp http Variant2
.. [*] malware options: family = ShadowPad; targeted protocol = http (version = Variant2) [*] ShadowPad specific options: version = Variant2; key size = 2; key endian = big; header size = 0x8; header type = 0x0; client session ID = 53978 [D] POST: http://137.220.185.203:443/ (proxy={}, stream=True, timeout=30) [+] 137.220.185.203,active,client session ID matched (type=0x0) ..
$ ./c2fs.py -d -l corpus/query.txt -p 443 -f sp https Variant2 .. [*] malware options: family = ShadowPad; targeted protocol = https (version = Variant2) [*] ShadowPad specific options: version = Variant2; key size = 2; key endian = big; header size = 0x8; header type = 0x0; client session ID = 52256 [D] POST: https://137.220.185.203:443/ (proxy={}, stream=True, timeout=30) [+] 137.220.185.203,active,client session ID matched (type=0x0) .. |
The same behavior may be seen in other protocol combinations such as TCP/SSL and UDP/DNS. However, it’s impossible to test because TAU has not obtained any samples of the variants with the multiple C2 protocol plugins yet.
Result
Between September 2021 to September 2022, TAU identified 83 ShadowPad C2 servers (75 unique IPs) on the Internet. The percentage of each variant is shown in Figure 6. During the tracking period, we witnessed that Variant1 had become more active.
Figure 6: ShadowPad population by variant
The change in the number of active ShadowPad C2s is shown in Figure 7.
Figure 7: Change in the number of active ShadowPad C2s
Compared with 2021, the active C2s in 2022 has been on a declining trend, though the sharp drop in February 2022 was due to the system issue. The scanner may have missed a new variant lately as ShadowPad changes the immediate values used in the packet encoding per variant. TAU will continuously improve the scanner as TAU obtains new variant samples.
Malware Samples Sharing C2 IPs
TAU identified three samples communicating with the ShadowPad C2 IP addresses on VirusTotal. The sample information is listed in Table 4.
Table 4: Samples communicating with the ShadowPad C2 IPs
| Sample Malware family | C2 IP address | C2 Protocol/Port used by sample | Sample submission date | C2 first-seen date by scanner | C2 last-seen date by scanner |
| Spyder | 156.240.104.149 | TLS/443 | 2021/10/26 | 2021/10/16 | 2021/10/16 |
| ReverseWindow | 43.129.188.223 | TCP/10333 | 2022/02/27 | 2021/10/17 | 2022/10/04 |
| ShadowPad | 213.59.118.124 | UDP/443 | 2022/03/20 | 2022/03/06 | 2022/09/27 |
Spyder and ReverseWindow are APT malware utilized by PRC-linked cyber espionage threat actors (respectively APT41 and LuoYu). All C2s were discovered by the TCP/443 Variant1 scanner, but the samples communicated with a different protocol or port. Except the Spyder sample case, the C2s had accepted multiple protocols/ports at that time. The scanning system caught the C2s prior to the sample submissions in all cases.
Spyder Code Similarity with Winnti 4.0
Incidentally, it should be noted that the above-referenced Spyder sample contains the code handling the same C2 command data structure as Winnti 4.0 Worker which TAU reported three years ago in 2019.
Figure 8: Code handling C2 commands
The command IDs used by the malware families are shown in Table 5. The commands are decided based on a combination of two numbers. Dr.WEB defined the numbers as tag and id in the Spyder report while TAU defined them as cmd_ID and dispatch_ID in the Winnti 4.0 Worker analysis. Both have almost the same C2 command functions.
Table 5: Spyder and Winnti 4.0 command IDs
| Command | Spyder | Winnti 4.0 Worker | ||
| tag | id | cmd_ID | dispatch_ID | |
| Verify the client | 1 | 1 | 1 | 1 |
| Send victim information | 5 | 3 | 5 | 1 |
| Send plugins information | 6 | 1 | 6 | 9 or 13 |
| Save plugin parameters | 6 | 2 | 6 | 2 |
| Save plugin data | 6 | 3 | 6 | 3 |
| Load and run plugin entrypoint and export function #1 | 6 | 4 | 6 | 6 |
| Run plugin export function #4 and unload the plugin | 6 | 5 | 6 | 7 |
| Heartbeat | 6 | 6 | 6 | 8 |
| Run plugin export function #2 | 6 | 7 | 6 | 10 |
| Run plugin export function #3 | 6 | 8 | 6 | 11 |
| Send current connection information | 7 | 2 | –
(no command) |
– |
| Run function pointer of the 2nd parameter obtained by running export function #1 | 11 | – | 11 | – |
On the other hand, the total code similarity between them is just 37% when analyzed with the BinDiff utility. Other data structures like configuration block and C2 protocol header are much different. Based on the comparison displayed in Table 5, TAU hypothesizes that Spyder is a lightweight version of Winnti 4.0 Worker.
Table 6: Comparison of Spyder and Winnti 4.0 Worker
Spyder |
Winnti 4.0 |
|
Payload encoding / encryption |
single-byte XOR |
AES in CTR mode(key given as a cmdline argument) |
C2 Protocol |
TLS |
TCP/TLS/HTTP(S)/UDP |
Server-mode support |
No |
Yes |
3rd-party library |
uthash, Mbed TLS |
uthash |
Reported year |
2020 |
2019 |
Endpoint Detection
Last year the discovery of the use of a discovered C2 IP (107.155.50.198) triggered an incident response. The advanced and sophisticated attack had bypassed many methods of detection but was ultimately alerted upon simply because of the pre-identified C2 IP.
Figure 9: Alert based on the ShadowPad C2
Conclusion
By emulating the ShadowPad C2 protocols then scanning the C2 servers on the Internet, TAU has discovered over 80 C2 servers. The IOCs has been published on the GitHub page with discovered date ranges which are more helpful than just IP address information since the C2s are typically found on hosted servers. Approximately 10 C2s have always been active. TAU sees little possibility of false positives because the C2 protocol formats and encoding algorithms are fairly unique.
Scanning APT malware C2s on the Internet is sometimes like finding a needle in a haystack. However, once the C2 scanning works, it can become a game changer as one of the most proactive threat detection approaches.
Acknowledgment
TAU appreciates Leon Chang’s expertise and advice regarding ShadowPad. Chang shared his knowledge to gain a more complete, bigger picture of the variants.
Indicators of Compromise (IOC)
| Indicator | Type | Context |
| 03b7b511716c074e9f6ef37318638337fd7449897be999505d4a3219572829b4 | SHA256 | ShadowPad Variant1 |
| aef610b66b9efd1fa916a38f8ffea8b988c20c5deebf4db83b6be63f7ada2cc0 | SHA256 | ShadowPad Variant2 |
| d011130defd8b988ab78043b30a9f7e0cada5751064b3975a19f4de92d2c0025 | SHA256 | ShadowPad Variant3 |
| 1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5f | SHA256 | Spyder communicating with the ShadowPad C2 (156.240.104.149) |
| 536def339fefa0c259cf34f809393322cdece06fc4f2b37f06136375b073dff3 | SHA256 | ReverseWindow communicating with the ShadowPad C2 (43.129.188.223) |
| 9447b75af497e5a7f99f1ded1c1d87c53b5b59fce224a325932ad55eef9e0e4a | SHA256 | ShadowPad Variant1 communicating with the ShadowPad C2 (213.59.118.124) |
