Trend Micro, a leading cybersecurity provider, has made a significant discovery, a sample of Shadowpad, a sophisticated backdoor widely used by Chinese-sponsored threat actors, within an application developed by the National Information Technology Board (NITB), a Pakistani government entity. This revelation sheds light on the potential infiltration of Chinese threat actors into the Pakistani government's digital infrastructure.
The Discovery
On July 14, 2023, two threat analysts, Daniel Lunghi and Ziv Chang, employed by Trend Micro, conducted extensive research on the Microsoft Windows installer of E-Office—an e-administration application exclusively utilized by Pakistani government organizations and developed by NITB. During their investigation, they uncovered an alarming finding—a file named mscoree.dll, launched by the installer, which appeared to contain a Shadowpad payload.
Understanding Shadowpad
Shadowpad is a modular backdoor that first came to light in 2017 following a supply-chain attack on a prominent server management software attributed to APT41, also known as Wicked Panda and Bronze Atlas—an infamous Chinese threat actor involved in dual espionage and cybercrime activities. Since 2019, various Chinese threat actors, including Earth Akhlut and Earth Lusca, have shared this malware.
Implications and Attribution
While analyzing the situation, Trend Micro stated that the campaign could potentially be linked to the "nexus" of Chinese threat actors. However, due to the complexities involved, the researchers were unable to attribute the attack to a specific group with certainty. Nonetheless, the discovery raises concerns about the involvement of Chinese actors in targeted cyber operations.
Common Techniques Used
During their analysis of the E-Office installer files, the Trend Micro researchers made notable observations about the techniques employed by the threat actor. They discovered that the code added by the attacker checked specific bytes of the loading executable at a predefined offset to ensure they matched a particular value. If not, the DLL closed itself. If the conditions were met, the rest of the code underwent obfuscation using two techniques—first, a method that hindered static analysis by preventing the disassembler from following the code flow, and second, the addition of superfluous instructions and branches to confuse malware analysts.
Consistent Obfuscation and Encryption
The researchers encountered several Shadowpad samples that exhibited the same obfuscation techniques mentioned above. Furthermore, the encryption scheme used in this particular campaign differed from previous instances. Instead of employing different encryption algorithms for each sample, the threat actor utilized a uniform algorithm to encrypt each Shadowpad backdoor configuration sample. These technical details suggest the possibility of a single threat actor behind all the identified samples, although the researchers did not definitively establish this connection.
Targets in Pakistan
The investigation also unveiled three victims, all based in Pakistan. The first victim was a Pakistani government entity, confirming that the Shadowpad sample infected the system after executing the compromised E-Office installer on September 28, 2022. The second victim was a public sector bank in Pakistan, where multiple Shadowpad samples were detected on September 30, 2022, subsequent to the installation of E-Office. Unfortunately, Trend Micro was unable to recover the associated E-Office installer in this incident. Additionally, Shadowpad samples were discovered at a Pakistani telecommunications provider in May 2022. Further analysis revealed that one of the samples had been present since mid-February 2022, although the researchers were unable to determine the infection vector for this particular incident.
Given that the E-Office application is exclusively intended for government entities and is not publicly available, it strengthens the belief that these incidents may be part of a supply-chain attack. The discovery of Shadowpad within the NITB-built application highlights the urgent need for robust cybersecurity measures and heightened vigilance to safeguard sensitive government systems against potential infiltrations from state-sponsored threat actors.