# ShadowPad: 
 new activity  from the  Winnti group

#### ptsecurity.com


-----

## Contents

##### Introduction 3

 1. Network infrastructure 4

 1.1. Detecting ShadowPad 4

 1.2. Links to other groups 8

 1.2.1. TA459 8

 1.2.2. Bisonal 10

 1.3. Victims 11

 1.4. Activity 12

 2. Analysis of malware and tools 12

 2.1. Analyzing SkinnyD 13

 2.2. Analyzing xDII 14

 2.2.1. Dropper 14

 2.2.2. xDll backdoor 15

 2.3. ShadowPad 22

 2.3.1. ShadowPad loader and obfuscation. 22

 2.3.2. ShadowPad modules 23

 2.3.3. ShadowPad configuration 25

 2.3.4. Network protocol 26

 2.4. Python backdoor 26

 2.5. Utilities 28

 Conclusion 30


-----

## Introduction

During threat research in March 2020,[1] PT Expert Security Center specialists found

a previously unknown backdoor and named it xDll, based on the original name

found in the code. As a result of a configuration flaw of the malware's command

and control (C2) server, some server directories were externally accessible. The

following new samples were found on the server:

� ShadowPad

� A previously unknown Python backdoor

� Utility for progressing the attack

� Encrypted xDII backdoor

ShadowPad is used by Winnti (APT41, BARIUM, AXIOM), a group that has been active

since at least 2012. This state-sponsored group originates from China.[2] The key

interests of the group are espionage and financial gain. Their core toolkit consists

of malware of their own making. Winnti uses complex attack methods, including

supply chain and watering hole attacks. The group knows exactly who their victims

are. They develop attacks very carefully and deploy their primary tools only after

detailed reconnaissance of the infected system. The group attacks countries all

over the world: Russia, the United States, Japan, South Korea, Germany, Mongolia,

Belarus, India, and Brazil. The group tends to attack the following industries:

� Gaming

� Software development

� Aerospace

� Energy

� Pharmaceuticals

� Finance

� Telecom

� Construction

� Education

The first attack with ShadowPad was recorded in 2017.[3] This backdoor has been

often used in supply chain attacks such as the CCleaner[4] and ASUS[5] hacks. ESET

released its most recent report about Winnti activities involving ShadowPad in

January 2020.[6] We didn't find any connection with the current infrastructure.

However, during research we found that the new ShadowPad infrastructure had

commonalities with infrastructures of other groups, which may mean that Winnti

was involved in other attacks with previously unknown organizers and perpetrators.

This report contains a detailed analysis of the new network infrastructure related

to ShadowPad, new samples of malware from the Winnti group, and also analysis

of ties to other attacks possibly associated with the group.

_[1. twitter.com/Vishnyak0v/status/1239908264831311872](https://twitter.com/Vishnyak0v/status/1239908264831311872)_

_[2. securelist.com/winnti-more-than-just-a-game/37029/](https://securelist.com/winnti-more-than-just-a-game/37029/ )_

_[3. securelist.com/shadowpad-in-corporate-networks/81432/](https://securelist.com/shadowpad-in-corporate-networks/81432/ )_

_[4. blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer](https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer )_

_[5. securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/ )_

_[6. welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/](https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/)_


-----

## 1. Network infrastructure

### 1.1. Detecting ShadowPad

Initially, when the xDll backdoor was analyzed (see Section 2.2), it could not be clearly tied to any

APT group. The sample had a very interesting C2 server, www.g00gle_jp.dynamic-dns[.]net, which

potentially could indicate attacks against Japan. When we studied the network infrastructure and

searched for similar samples, we found several domains with similar names.

_Figure 1. Network infrastructure of the Winnti group at the initial stage of analysis_

The domain names give reason to suspect that attacks

also target South Korea, Mongolia, Russia, and the

United States. When we studied the infrastructure

further, we found several simple downloaders

unfamiliar to us (see Section 2.1). They contact related

C2 servers, and in the response should receive a XOR
encrypted payload with key 0x37. The downloader

we found was named SkinnyD (Skinny Downloader)

for its small size and bare-bones functionality. The

URL structure and some lines in SkinnyD make it very

similar to the xDll backdoor.

At first, we could not obtain the payload for SkinnyD,


because all C2 servers were inactive. But after a

while, we found new samples of the xDII backdoor.

When we analyzed one of the samples, we found

some public directories on its С2 server. The file

called x.jpg is an xDll backdoor encrypted with XOR

with key 0x37. This suggests that xDll is a payload

for SkinnyD.


_Figure 2. Structure of public directories_
_on the discovered C2 server_


-----

The most interesting thing on the server is the

contents of the "cache" directory.

_Figure 3. Contents of the "cache" directory_

_Figure 4. Example of lines from the log (for detailed description of_
_parameter values, see xDII analysis)_


It contains data about the victims and

the malware downloaded to infected

computers. The name of the victim file

contains an MD5 hash of the MAC address

for the infected computer sent by xDll; the

file contents include the time of the last

connection to the C2 server. Based on the

changes in the second part of the name of

the malware file, server time might seem

to be indicated in nanoseconds. But that

cannot be true, since that would take us

back all the way to March 1990. Ultimately,

we don't know why this time period was

selected.

In the malware files, we found ShadowPad, a

previously unknown Python backdoor, and

utilities for progressing the attack. Detailed

analysis of the malware and utilities is

provided in Section 2.

At certain intervals, the attackers request

information from infected computers via

the xDII backdoor. This information is saved

to the file list.gif.

We should note that in the xDII samples we

have, the Domain field contains the name

of the domain where the infected computer

is located. However, in the log that field for

almost all computers contains the SID of

the user whose name was used to launch

xDII. That may be an error in the code of

a certain xDII version, because this value

does not provide any useful information to

the attackers.

Going deeper into the network

infrastructure, we found that many servers

have the same chain of SSL certificates with

the following parameters:

� Root: C=CN, ST=myprovince, L=mycity,

O=myorganization, OU=mygroup,

CN=myCA, SHA1=0a71519f5549b21510

410cdf4a85701489676ddb

� Base: C=CN, ST=myprovince, L=mycity,

O=myorganization, OU=mygroup,

CN=myServer, SHA1=2d2d79c478e92a7

de25e661ff1a68de0833b9d9b


-----

_Figure 5. Parameters of the SSL certificate_

We have encountered this certificate in several publications about ShadowPad attacks.

The first one is an investigation of the 2017 attack on CCleaner. Avast has provided details[7] regarding the

attack. A screenshot, included there, shows the same certificate.

The second is a talk by FireEye researchers at Code Blue 2019 about cyberattacks against Japanese

targets.[8] In one of the attacks, the researchers found the use of POISONPLUG (the name for ShadowPad

used by FireEye). Analysis of the infrastructure revealed the same certificate on ShadowPad C2 servers.

_Figure 6. Slide from the FireEye presentation_

_[7. blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer](https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer )_

_[8. slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-](https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko)_
_[bondarenko](https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko)_


-----

Searching for servers with this certificate helped us not only detect new ShadowPad samples and C2

servers, but also find connections to other attacks previously not attributed to Winnti (see Section 1.2).

As a result, we found over 150 IP addresses with this certificate, or addresses where it had been installed

previously. Of these, 24 addresses were active at the time of writing of this article. There were also 147

domains related to those addresses. For the domains, we found Winnti malware.

During our research, the group's domains relocated from one IP address to another many times, which

is indicative of active attack operations.

However, the motive for using the same SSL certificate on almost all ShadowPad C2 servers was not

clear. This may be the result of having the same system image installed on the C2 servers, or else simple

overconfidence.

We saw the same thing with certificates when researching the activity of the TaskMasters[9] group. At

some point, the attackers started installing self-signed certificates with identical metadata on their

servers, which ultimately helped us in finding their infrastructure.

The following figure shows distribution of detected IP addresses by location:

4.4%

2.4% 47.6%

3.4%


3.8%

18.3% 20.2%


Hong Kong

U.S.

South Korea

Malaysia

Singapore

China

Others

_Russia 1.9%_
_United Kingdom 1%_
_Netherlands 0.5%_
_Lithuania 0.5%_
_Germany 0.5%_

_Figure 7. Geolocation of C2 servers_


About half of the group's servers are located in Hong Kong. The IP addresses are distributed between

45 unique providers. More than half of the servers are concentrated on the IP addresses of six providers,

five of which are in Asia (Hong Kong, China, and South Korea).

_[9. ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/](https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/)_


-----

### 1.2. Links to other groups

#### 1.2.1. TA459

In 2017, Proofpoint issued a report about attacks against targets in Russia and Belarus using ZeroT and

PlugX.[10] The report mentions the domain yandax[.]net, which was indirectly related to the infrastructure

used in that attack. The domain was on the same IP address as one of the PlugX servers. WHOIS data

of that domain looks as follows:

_Figure 8. Registrant lookup for the domain yandax[.]net_

In the past few years, the email address dophfg@yahoo[.]com has been used to register several more

domains.

_Figure 9. Domains with similar WHOIS data_

_[10. proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx](https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx)_


-----

In our study of ShadowPad infrastructure, we came across active servers linked to two domains from

the group: www.ertufg[.]com and www.ncdle[.]net. Those servers also had the SSL certificate typical

of ShadowPad. In addition, we found ShadowPad samples connecting to those domains. One of the

samples had a rather old compilation date, July 2017. However, this time is probably not accurate,

because the C2 server for it was registered in August 2018. It can also disguise itself as a Bluetooth Stack

component for Windows by Toshiba named TosBtKbd.dll.

_Figure 10. Structure of domains related to ShadowPad_

Here we can make another inference. The domain yandax[.]net initially had a different email address in

its WHOIS data: fjknge@yahoo[.]com. The same address was also used to register one of the NetTraveler

C2 servers, namely, riaru[.]net. That domain was used for attacks targeting the CIS and Europe. These

attacks have been described by Proofpoint researchers.[11] It is also possible that the infrastructure

was used by some other group to disguise its activities. However, the scope, targeted countries, and

industries all overlap with those of the Winnti group. The connections are indirect and individual in

nature, but still provide reason to believe that all these attacks were carried out by the same group.

_[11. proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests](https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests)_


-----

#### 1.2.2. Bisonal

On one of the IP addresses on ShadowPad infrastructure, we found domains used in Bisonal RAT attacks

in 2015–2020.

_Figure 11. ShadowPad and Bisonal domains sharing an IP address_

In addition, we found a Bisonal sample with a direct relationship to the new ShadowPad infrastructure.

_Figure 12. Bisonal and ShadowPad infrastructure_

We came across a presentation[12] made at JSAC 2020 by Hajime Takai, a Japanese researcher with NTT

Security. The researcher details an attack on Japanese systems, in which the chain included xDII for

downloading Bisonal to the infected computer.

_[12. jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf](https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf)_


-----

_Figure 13. Slide from Hajime Takai's research_

Takai links the attack to the Bitter Biscuit campaign described by Unit 42.[13] Bisonal was used in that

attack, too. The attack tools found by Takai are almost completely identical to the ones we found on the

ShadowPad server. Even some hash sums are identical (see Section 2).

Researchers believe[14] that the Bisonal attacks were performed by Tonto Team. The group concentrates

its efforts on three countries: Russia, South Korea, and Japan. Its targets include governmental entities,

militaries, finance, and industry. All these fall within the area of interests of the Winnti group. And with

the new details about Bisonal used together with xDII, plus overlapping network infrastructures, it

stands to reason that the Winnti group is behind the Bisonal attacks.

### 1.3. Victims

According to the server data, more than 50 computers had been infected. We could not establish the

exact location and industry for every infected computer. However, if we match the time of the latest

connection of the infected computer to the server and the time we received the file with this timestamp,

we can make a map of the timezones.

_Figure 14. Map with victims' timezones_

_[13. unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/](https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/ )_

_[14. blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html](https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html)_


-----

Most countries located in the timezones marked on the map are within the area of interest of Winnti.

We were able to identify some of the compromised organizations, including:

� A university in the U.S.

� An audit firm in the Netherlands

� Two construction companies (one in Russia, the other in China)

� Five software developers (one in Germany, four in Russia)

All victims, both identified and unidentified, were notified by the national CERTs.

We have no details about those attacks. However, since ShadowPad was used in supply chain attacks via

software developers, and knowing that at least two software developers have been compromised, we

are dealing with either a new distribution attempt or an attack that is already in progress.

### 1.4. Activity

Activity on the server (such as collection of information from the victims and appearance of new utilities)

usually took place outside of the business hours in the victims' timezones. For some, it was evening; for

others, early morning. This tactic is typical of Winnti. The group did the same when they compromised

CCleaner, as Avast reported.

## 2. Analysis of malware and tools

Judging by the data we collected, the delivery process in the current campaign looks as follows:

##### Phishing ShadowPad

 xDII Bisonal

 Python SkinnyD backdoor

 Unknown vector Utils

_Figure 15. Payload delivery diagram_

The compilation time of the malware samples we found corresponds to business hours in UTC+8

timezone (where China and Hong Kong are located).


-----

1


4

2

3

3

3

5
2


23:00

22:00

21:00

20:00

19:00

18:00

17:00

16:00

15:00

14:00

13:00

12:00

11:00

10:00

9:00

8:00

7:00

6:00

5:00

4:00

3:00

2:00

1:00

0:00


5
2


23:00

22:00

21:00

20:00

19:00

18:00

17:00

16:00

15:00

14:00

13:00

12:00

11:00

10:00

9:00

8:00

7:00

6:00

5:00

4:00

3:00

2:00

1:00

0:00


_Figure 16. Malware compilation time in UTC+0_ _Figure 17. Malware compilation time in UTC+8_

### 2.1. Analyzing SkinnyD

SkinnyD (Skinny Downloader) is a simple downloader: it contains several C2 addresses and goes through

them one by one.

The next stage is downloaded with a GET request to the С2 server via a special URL address generated

according to a format string hard-coded in the malware code.

_Figure 18. URL format string_

The malware checks the data received from the C2 as follows:

� The data size must be more than 0x2800 bytes.

� The data must begin with the bytes "4D 5A" (MZ).

The downloaded binary file is decrypted with XOR and loaded with PE reflective loading. After the

binary file loads, control transfers to the exported symbol MyCode.

The malware gains persistence via the key Environment\UserInitMprLogonScript.[15]

_[15. attack.mitre.org/techniques/T1037/](https://attack.mitre.org/techniques/T1037/)_


-----

_Figure 19. Persistence code_

In the SkinnyD samples we studied, we found an interesting artifact linking it to xDII. This was the string

"3853ed273b89687". Since the string is not used by the downloader, perhaps it's a builder artifact.

### 2.2. Analyzing xDII

#### 2.2.1. Dropper

The dropper is an executable file written in C and compiled in Microsoft Visual Studio. Its compilation

date (February 11, 2020, 9:54:40 AM) looks plausible.

_Figure 20. General information about the dropper_

It contains a payload in the form of the xDII backdoor in the data section.

_Figure 21. Another executable file in the dropper_


-----

The dropper extracts 59,392 bytes of data and attempts to write this to one of two paths:

� %windir%\Device.exe

� %windir%\system32\browseui.dll

Next, it copies itself to the directory %windir%\DeviceServe.exe and creates a service named VService,

thereby ensuring auto-launch as a service.

_Figure 22. Installing the service_

When the service runs, it creates a separate thread for running the payload.

_Figure 23. Running the payload_

We should note that there is no option to launch a different payload variant in the form of a DLL library

(browseui.dll).

#### 2.2.2. xDll backdoor

The backdoor is a file written in C++ and compiled in Microsoft Visual Studio using the MFC library. It also

has a plausible compilation date of February 10, 2020, 6:14:37 PM.

_Figure 24. General information about the payload_


-----

It creates a separate thread in which all actions take place.

It starts by scouting the system and collects the following information:

� Computer name

� IP address

� OEM code page

� MAC address (used later on to calculate the MD5 hash sum for C2 interactions)

_Figure 25. Obtaining MAC address_

� OS version

_Figure 26. Obtaining OS version_


-----

� The preset identifier "sssss" (probably characteristic of this particular version of the backdoor)

� Whether the user is an admin

_Figure 27. Checking privileges_

� Whether it is in a virtual environment

_Figure 28. Checking the environment_

� Domain and username

_Figure 29. Obtaining domain and username_


-----

� CPU

_Figure 30. Obtaining CPU information_

� RAM

_Figure 31. Obtaining information about RAM_

� System language

_Figure 32. Obtaining information about the system language_

Next, the backdoor decrypts C2 server addresses. In this case, there are two, but they are identical:

www.oseupdate.dns-dns[.]com. The backdoor body contains a third address (127.0.0.1), which is

replaced with the decrypted one.

_Figure 33. Decrypting C2 address_

When the C2 server address is obtained, a GET request will be sent, with its format as follows:

hxxp://{host}:{port}/{uri}?type=1&hash={md5}&time={current_time}. Request parameters are:

� host (C2 address)

� port (port 80)


-----

� uri (string "news.php")

� md5 (hash sum of the MAC address, which is probably the victim's identifier)

� current_time (current system time)

Here's how it all looks:

_Figure 34. Sample request to the server_

Note that the request uses a preset value for the HTTP User-Agent header:


Mozilla/5.0 (Windows NT 5.2) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122

Safari/534.30


_Figure 35. Embedded User-Agent_

The expected server response is the character "1". If that response is received, a POST request is sent

with basic system information in JSON format:

� Hash sum of the MAC address

� Computer name

� IP address

� OS version

� Domain name

� Preset identifier "sssss"

� OEM code page

Example request:

_Figure 36. Sending system information_

We should note that the JSON format used is incorrect. In addition, the value of the In_IP field is missing.

Perhaps it was expected that both the internal and external IP addresses would be determined. But logic

for determining the external address was not yet implemented in this variant of xDII. Another tell-tale

detail is the value ("post_info") of the Referer HTTP header. In addition, a different value is selected for

the User-Agent HTTP header:


-----

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR

2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)


Next comes the loop for processing C2 commands. For that purpose, the backdoor sends a GET request

in a format matching the one described earlier. The only difference is that "type" parameter value is now

"2" instead of "1":

hxxp://{host}:{port}/{uri}?type=2&hash={md5}&time={current_time}

The expected server response is a lowercase Latin letter (from a to z). The following table shows

commands and the corresponding actions:

**Command** **Action**

c Collect and send information about connected volumes

d Collect and send contents of directory

e Receive a file from the server, save it to the system, and report success

f Run the indicated ShellExecuteA and report success

g Delete the indicated file with ShellExecuteA and report success

h Upload the indicated file to the server

j Collect and send a list of system processes

k End the indicated process and report success

l Execute the command with cmd.exe and send the output

m Continue communicating with cmd.exe and run further commands

n Collect and send a list of system services

o Send all information collected during reconnaissance

q Same as d

u Start all communication with C2 again

Successful execution of some commands requires additional data. For instance, downloading a file from

the server (the "e" command) requires indicating the file name. In this case, the server provides that

name after a comma. For instance, "e,dangerous_file.txt".

This is what a request and the response look like:

_Figure 37. An example of a command for downloading a file_


-----

Next, the file is requested and its content is returned:

_Figure 38. File content sent to the server_

Then a report indicating successful download is sent.

_Figure 39. Report on successful file download_

Notice again the idiosyncratic value of the "Referer: upfile" field, the type of transmitted data (image/

pjpeg), and the name of the transmitted file: {md5}.gif (using the hash sum of the MAC address).

When the command for collecting the directory listing (the "d" command) is processed, the delineator

is not a comma. Instead, the path to the catalog is expected to start from the second character, for

instance: "d|C:\Users".

_Figure 40. Directory listing_

The data is transmitted in JSON format, and this time the format is correct.

The following example shows sending information obtained from system analysis (the "o" command).


-----

_Figure 41. Sending system information_

The data is submitted in JSON format again, but with fewer keys.

The JSON string templates are specified in the backdoor; the string itself is formed by concatenation,

without using any special libraries.

However, in some cases, when a brief report is sufficient, the information may be transmitted in plaintext.

_Figure 42. Result of command for code execution_

### 2.3. ShadowPad

As mentioned, we found some public directories on one of the xDll servers, and one of those directories

contained ShadowPad. We found no significant differences from earlier versions, therefore the following

is only a brief analysis of the new version.

#### 2.3.1. ShadowPad loader and obfuscation

The first stage is decryption of the shell code responsible for installing the backdoor on the system. The

shellcode is decrypted with an XOR-like algorithm, which modifies the encryption key at each iteration

with arithmetic operations with certain constants.


-----

_Figure 43. Main module decryption cycle_

After decryption, control transfers to the loader, which features a characteristic type of obfuscation.

_Figure 44. Obfuscation used in the loader_

We already saw this type of obfuscation in previous versions of ShadowPad. Certain bytes are inserted

in various sections of the code pre-marked with two opposite conditional jumps pointing to the same

address. To do away with this obfuscation, the indicated bytes must be replaced (with the "nop" opcode,

for instance).

After the addresses of the API functions are received and the required code is placed in memory, control

passes to the backdoor installation stage.

#### 2.3.2. ShadowPad modules

Like the previous versions, this backdoor

has a modular architecture. By default, the

backdoor includes the following modules:

_Figure 45. Calling the functions for decryption and_
_decompression of the modules built into the backdoor_


-----

**Module**
**ID** **Compilation time**
**name**

Root 5E6909BA GMT: Wednesday, 11 March 2020, 15:54:34

Plugins 5E69097C GMT: Wednesday, 11 March 2020, 15:53:32

Online 5E690988 GMT: Wednesday, 11 March 2020, 15:53:44

Config 5E690982 GMT: Wednesday, 11 March 2020, 15:53:38

Install 5E69099F GMT: Wednesday, 11 March 2020, 15:54:07

DNS 5E690909 GMT: Wednesday, 11 March 2020, 15:51:37

The identifiers of these modules remain unchanged from version to version; they, too, are installed and

run in a separate thread via the registry. Module compilation times can be found in the auxiliary header

that comes before the shellcode.

_Figure 46. Location of the compilation time in the shellcode header_

A typical feature of any copy of ShadowPad

is encryption of the strings in each module.

The encryption algorithm is similar to the

one used for backdoor decryption. The

only difference is in the constants used for

key modification.

The method of calling some API functions

in ShadowPad modules is somewhat

interesting. Some copies of the malware

calculate the function address for each

time a function is called, as shown in Figure

47. In addition, addresses of the functions

to be called can be obtained via a special

structure. Loading addresses for libraries

are obtained based on the values of the

structure members, to which the offsets of

the required API functions are then added.

_Figure 47. String decryption code in ShadowPad_

_Figure 48. Example of obfuscation of calling an API function_


-----

_Figure 49. De-obfuscated calls (illustrated by Install module)_

For persistence, the backdoor copies itself to C:\ProgramData\ALGS\ under the name Algs.exe and

creates a service with the same name.

_Figure 50. Service created for gaining persistence_

The malware proceeds to launch a new svchost.exe process, which it injects with its own code and then

gives control.

_Figure 51. Code for creating process and injecting into it_

#### 2.3.3. ShadowPad configuration

In all samples of the backdoor, the configuration is encrypted. The Config module is responsible for

operations with it.

Configuration is a sequence of encrypted strings, in which each string follows the previous one without

any zero padding or alignment. The configuration is encrypted by the same algorithm as the strings.


-----

_Figure 52. Decrypted malware configuration_

#### 2.3.4. Network protocol

The format of the packets used in all

ShadowPad versions has remained

unchanged.[16] For the packets sent to the

server, the packet body and the packet

header are generated separately. After

they are concatenated (without any

padding), the packet is covered with an

encryption algorithm with logic close to

that of the algorithms used for decrypting

the main module and the strings inside the

backdoor. Figure 53 shows the algorithm.

_Figure 53. Packet encryption code used_
_in exchanges with the C2 server_

The structure of encrypted packets received from the C2 server is fairly simple (as illustrated by the Init

packet).

_Figure 54. Structure of ShadowPad packets_

### 2.4. Python backdoor

This backdoor we found on the server was in py2exe format. The backdoor is written in Python 2.7 and

contains configuration variables in the beginning.

_[16. media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf)_


-----

Three commands can be executed

remotely:

� CMDCMD: execute via cmd.exe

� UPFILECMD: upload the file

to the server

� DOWNFILECMD: download

the file from the server

The ONLINECMD command is executed

by the backdoor right after launch. This

is a command for collecting system

information and sending it to the server.

_Figure 56. Commands for collecting system information_


_Figure 55. Backdoor configuration_


The backdoor has a function for gaining persistence via the registry:


reg add "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /v

"startup" /d "c:/Windows/system32/idles.exe


After gaining persistence and collecting system information, the malware packs the data and uploads it

to the C2 server. Interaction with the server is via TCP sockets:


socket.socket(socket.AF_INET, socket.SOCK_STREAM)


Certain values are added in before the data is sent; then the data is compressed with ZLIB and encoded

in Base64.

_Figure 57. Data packing algorithm_

In the code in Figure 55:

� Flag is the value initialized when the backdoor starts.


-----

_Figure 58. Initializing the "flag" parameter_

� Key is the value from configuration changes.

� Cmd is an executed config command.

� Data is the collected data.

� After the data is prepared, its length and the delimiter indicated in the config are added to the

beginning, and then the data is sent to the server.

_Figure 59. Forming the final data packet_

_Figure 60. Example of formed data_

After the initial system data is sent, the backdoor goes into a loop as it awaits a command from the

server.

_Figure 61. Main loop_

### 2.5. Utilities

Among our finds on the server were utilities for lateral movement. Most of those are open-source ones

available on GitHub. They were initially written in Python but converted to PE. The server had the

following utilities:

� Utilities[17] to check for and exploit vulnerability MS17-010

� LaZagne[18] for gathering passwords

� get_lsass[19] for dumping passwords on x64 systems

_[17. github.com/worawit/MS17-010/blob/master/checker.py](https://github.com/worawit/MS17-010/blob/master/checker.py)_

_[18. github.com/AlessandroZ/LaZagne](https://github.com/AlessandroZ/LaZagne)_

_[19. github.com/3gstudent/Homework-of-C-Language/blob/master/sekurlsa-wdigest.cpp](https://github.com/3gstudent/Homework-of-C-Language/blob/master/sekurlsa-wdigest.cpp)_


-----

� NBTScan

� DomainInfo for collecting domain information

The hackers tweaked the functionality of the MS17-010 utility by adding the ability to check an entire

subnet.

_Figure 62. Modified utility for checking for MS17-010_

Network scanning is performed out of sequence, which may throw defenders off the scent. In addition,

the scan will skip addresses with 1 and 2 in the final octets, because such addresses very rarely belong

to user computers.

Another utility of note on the server collects information about the domain of the target computer. The

information includes the following:

� Computer name

� Names of computer users, divided into groups

� Domain name

� Name of the current user's group

� Names of the groups on the domain

� Names of users in each group

All this information is collected in a legitimate way via the API functions of library Netapi32.dll and saved

to the utility directory in XML format.

Interestingly enough, the utility was compiled in 2014 with Microsoft Visual Studio 2005 and has the PDB

"e:\Visual Studio 2005\Projects\DomainInfo\Release\Domain05.pdb".


-----

## Conclusion

We have analyzed the infrastructure of the Winnti group and conclude that it has been active since early

2019. Currently this infrastructure is growing, which means Winnti is active. According to our information,

the group has already compromised over 50 computers, and some of those may serve as a staging

ground for subsequent, more serious attacks. The group has added new malware to its arsenal, such

as SkinnyD, xDll, and a Python backdoor. We found important connections between the current Winnti

infrastructure and other large attacks in which the group may have been directly involved.

The observed spike in the group's activity may be related to the coronavirus pandemic. Many companies

have switched employees to working from home and, as shown by our data, 80 percent of employees

use their personal computers for work. The result is that many employees are currently not protected by

corporate security tools and security policies. This makes them an easy target.

**MD5** **SHA-1** **SHA-256**

##### SkinnyD

ec2377cbd3065b4d75 cdd78ccd274705f6c94b6640 1d59968304f26651526a27dabd2780006ebd
1a791a22bd302c c968e90972597865 14925c9e00093acfa2443a223675

3fff50f9ea582848b8a5 ea11d0d950481676282cee2 b5227a12185a6fef8bb99ac87eefba7787bbf7
/db05c88f526e 0c5eb24fc71878bcc 5ff9c99bdc855a52539b805d2e

55186de70b2d558762 858d866c5faa965fa9fbe41c d81ba465fe59e7d600f7ab0e8161246a5badd
5749a12df8b607 8484a88fe0c612eb 8ae2c3084f76442fb49f6585e95

##### xDll backdoor

9f01cb61f342f599a01 b63bfdfb7f267e9fbf1c19be6 169c24f0ad3969fe99ff2bf205ead067222781
3c3e19d359ab4 5093d857696f3b0 a88d735378f41a9822c620a535

a2d552ed07ad15427 1858a80c8cff38d7871286a437 59759bbdfc1a37626d99dd260e298a1285ff0
f36d23da0f3a5d3 c502233e027ab0 06035ab83b7a37561e2884fd471

60ddb540da1aefee1e 8d16bc28cef6760ecf69543a1 87a57f5bb976644fce146e62ee54f3e53096f3
14f12578eafda8 4d29ba041307957 7f24884d312ab92198eb1e6549

7a4c8e876af7d30206b 4cff1af90c69cc123ecafe8081e 06d20fb5894c291fca07021800e7e529371372
851c01dbda734 3c486a890d500 abff6db310c0cbc100cf9ad9f9

3d760b6fc84571c928bed adcf9ade7a4dc14b7bf656e 8ac21275d0db7f3e990551f343e16ac105d6a513
835863fc302 86ea15766b843e3b6 810ff71934de4855999cc9c5

278eb1f415d67da- 7d30043210c8be2f642c449 a77613cbb7e914796433bf344614e0c469e32
27b2e35ec35254684 b92fe810a8c81f3f8 a1d52fbaf3df174bf521a3fc6b7

007f35e233a2587783 c1ec5a34b30990d9197c801 aa7b1d13a96f90bf539455f25ef138d5e09e27
5955bdd5dd3660 0441c39d390109c75 b7da6bf7f0c2e48821d98cf476

f2b37be311738a54aa 5e350480787827c19c7bee4 ece7f411ed1897304ca822b37d6480ff0b950
5373f3a45bbde2 833c91d72d0e032a0 5c8e307ef152fef8ed183b001c5


-----

**MD5** **SHA-1** **SHA-256**

##### ShadowPad

82118134e674fe4039 5e29d9e4be79b5d1d7e606b 2c2b1d9b34df9364fd91a6551890b0fdc58a7
07c9b93c4dc7be a59a910cdd840203b e681713c682221a674d1116089a

d5cf8f4c8c908553d57 bc2ef2e2232bce6be5bb033 319a06a39e5a1394710ec917f281a546d8503
872ab39742c75 3da6f101f45ca6277 86e80fdb56238456b68d5207a99

eccb14cb5a9f17356ad ef8951613ccca06f35b10f87 3ff1cf65dff231f05bd54df3fecad2545b15909
23aa61d358b11 dc11cf5543c727dd 4ce59ce4bf4c668c904d2a5d7

349382749444e8f63e 223f24eadc6e3a48d9cf9799 63a74b66685fb94d685cfdfadd10917c80523
7f4dc0d8acf75d e3e390a4a4015fdb 9ea079b9431bb5e9c8a58e0ea4b

ed4481a9b50529bfa0 f6e4d7eb5e3a7ae4c94bb86 79f0e0a0f9c79a9206b9c2af222f026c384d3e
98c4c530e4198e 26f79cc27b776d665 0d761b0b42815453991bc05294

85b0b8ec05bd6be508 4e60f31e386ec4f478f04b48 831212d40c5120824508a645e54bf1b86f3be
b97fd397a9fc20 458e49ef781b04d0 0cd19f87b8067e8b2fdea5c844e

6e3ce4dc5f739c5ba78 09a3b4823a4d82b72888e18 85b0ada2836c76cc49b886dfe59d950a073
78dd4275bb1f5 5c8b23b13c22885c3 e9d6d761581075bf904238306e8c4

05751ea487d99aefea 2092a0557dcece4b4a32040 9984d5b554b8dbfeffdb374e1c8eaf74af7109
72d96a958140d7 b1bc09f9606aa1a1c a0e6b924b00ad5b878d0188895

b9082bce17059a5789a a570deda43eb424cc3578ba be7b1f7f0b73b77fc8fe4c109ae5a675cc9f3f6
8a092bbcdbe26 00b4d42d40044bd00 c16d3a1d7b2a9c6ba5a52ef9a

14d546b1af2329b46c00 07ef26c53b62c4b38c4ff4b bb28528e76649fb72e069b15a76f7c6ef520a
4b5ed37a3bc2 6186bda07a2ff40cb e727408b3439856880a4488aa1f

988ebf6fec017ec24 0eec24a56d093e715047 d7786504a09ae35a75818c686b6299870e91
f24427ac29cc525 a626b911278a218927d2 d646bdf20609fbee0d86c94a5ff5

e6aa938be4b70c79d29 8cf60c047ee8d742a7a9162653 ec801e3baa02c7ad36a9b06512ac106d30ab3a
7936887a1d9a3 5c64bc6d7b580e 2207a7cb1e543fbd076995d43d

964be19e477b57d85ace 6c8ab56853218f28ac 9843ceaca2b9173d3a1f9b24ba85180a40
b7648e2c105d 11c16b050ad589ea14bafe 884dbf78dd7298b0c57008fa36e33d

7bb16d5c48eb8179f8dafe 6bfdee276207d9b738b5e f7231082241d9e332b45307e180f20e1104
306fc7e2c2 51f72e4852e3bda92d2 1f59196715749c6a79a8be17fcdc0

##### Bisonal

5e25dfdf79dfc0542a2db4 3bf3cd0f3817cf9481944536c e114dd78f9acafcf7e93efe1c9e68a29e4fe52
24b1196894 0c65d8a809e6d4a c4830431a4aa5457927bef7c5e

##### Python backdoor

c86099486519947a53689e1a0 817a88c07fe6d102961a994 77e4a1f6eb95b9763cf13803aba0058ac0bcada
ac8326d 681c6674f89e2f28e 8ee8b8f746963f2db8ce2e21f

##### get_lsass

802312f75c4e4214eb7a6 af421b1f5a08499e130d24f44 8eb40114581fe9dc8d3da71ea407adfb871805902
38aecc48741 8f6d79f7c76af2b b72040d10f711a1de750bfd

##### DomainInfo

22dfdcddd4f4da04b9e 619d32ea81e64d0af0a3e2a69f aad5ca66cfd5f0d1ffd4cccaa199de844b4074d02
f7d10b27d84bc 803cfe9941884b 544521afc757e075739c4b0


-----

**MD5** **SHA-1** **SHA-256**

##### MS17-010 checker

96c2d3af9e3c2216cd9c 397f60d933a3aa030fac af3ec84a79dc58d0a449416b4cf8eb5f7fd39c
9342f82e6cf9 5c1255b2eb1944831fb2 2cf084f6b16ee05abe4a968f12

##### MS17-010 exploiter

2b2ed478cde45a5a1fc23 a7d6fbbfb2d9d77b8cf07 e3768ad2b2e505453e64fe0f18cb47b2fe62d
564b72d0dc8 9102fb2940bbf968985 184ac7925f73e792d374ba630aa

### Network indicators

**SkinnyD**

80.245.105.102

**xDll**

www.yandex2unitedstated.dns05.com

www.oseupdate.dns-dns.com

www.yandex2unitedstated.dynamic-dns.net

g00gle_jp.dynamic-dns.net

hotmail.pop-corps.com

www.yandex2unitedstated.dynamic-dns.net

**ShadowPad**

www.ncdle.net

www.ertufg.com

info.kavlabonline.com

ttareyice.jkub.com

unaecry.zzux.com

filename.onedumb.com

www.yandex2unitedstated.dns04.com

www.trendupdate.dns05.com

**Bisonal**

www.g00gleru.wikaba.com

**Python backdoor**

daum.pop-corps.com

**Related domains**

agent.my-homeip.net freemusic.xxuz.com ntripoli.www1.biz

alombok.yourtrap.com freemusic.zzux.com odanobunaga.dns04.com

application.dns04.com gaiusjuliuscaesar.dynamicdns.biz point.linkpc.net

arjuna.dynamicdns.biz ggpage.jetos.com pop-corps.com

arjuna.serveusers.com gkonsultan.mrslove.com microsoft-update.pop-corps.com

artoriapendragon.itemdb.com gmarket.system-ns.org microsoft_update.pop-corps.com

backup.myftp.info googlewizard.ocry.com rama.longmusic.com

billythekid.x24hr.com hardenvscurry.my-router.de redfish.misecure.com

bluecat.mefound.com help.kavlabonline.com regulations.vizvaz.com

bradamante.longmusic.com hosenw.ns02.info robinhood.longmusic.com


-----

cindustry.faqserv.com host.adobe-online.com server.serveusers.com

cuchulainn.mrbonus.com hpcloud.dynserv.org serviceonline.otzo.com

daum.xxuz.com ibarakidoji.mrbasic.com thebatfixed.zyns.com

depth.toh.info indian.authorizeddns.us tunnel.itsaol.com

describe.toh.info inthefa.bigmoney.biz uacmoscow.com

developman.ocry.com jaguarman.longmusic.com update.wmiprvse.com

dnsdhcp.dhcp.biz jeannedarcarcher.zyns.com videoservice.dnset.com

economics.onemore1m.com letstweet.toh.info waswides.isasecret.com

ecoronavirus.almostmy.com lezone.jetos.com webhost.2waky.com

email_gov_mn.pop-corps.com likeme.myddns.com webmail_gov_mn.pop-corps.com

ereshkigal.longmusic.com medusa.americanunfinished.com xindex.ocry.com

eshown.itemdb.com modibest.sytes.net yandex.mrface.com

facegooglebook.mrbasic.com movie2016.zzux.com yandex.pop-corps.com

fackb00k2us.dynamic-dns.net msdn.ezua.com www.alombok.yourtrap.com

fergusmacroich.ddns.info myflbook.myz.info www.arjuna.dynamicdns.biz

fornex.uacmoscow.com mynews.myftp.biz www.asagamifujino.dns05.com

frankenstein.compress.to nadvocacy.mrbasic.com www.billythekid.x24hr.com

free2015.longmusic.com nikolatesla.x24hr.com www.bradamante.longmusic.com

freedomain.otzo.com notepc.ezua.com www.npomail.ocry.com

www.cuchulainn.mrbonus.com npomail.ocry.com www.nthere.ourhobby.com

www.daum.xxuz.com www.ggpage.jetos.com www.odanobunaga.dns04.com

www.david.got-game.org www.gkonsultan.mrslove.com www.officescan_update.mypop3.org

www.facebook2us.dynamic-dns.net www.goog1e_kr.dns04.com www.program.ddns.info

www.facegooglebook.mrbasic.com www.googlewizard.ocry.com www.robinhood.longmusic.com

www.fackb00k2us.dynamic-dns.net www.hosenw.ns02.info www.siegfried.dynamic-dns.net

www.fergusmacroich.ddns.info www.ibarakidoji.mrbasic.com www.stade653.dns04.com

www.frankenstein.compress.to www.inthefa.bigmoney.biz www.uacmoscow.com

www.free2015.longmusic.com www.jaguarman.longmusic.com www.webhost.2waky.com

www.freedomain.otzo.com www.jeannedarcarcher.zyns.com www.xindex.ocry.com

www.g00gle_kr.dns05.com www.likeme.myddns.com www.yandex.mrface.com


www.g00gle_mn.dynamic-dns.net www.medusa.americanunfinished.

com

www.g0ogle_mn.dynamic-dns.net www.microsoft-update.pop-corps.

com

www.msdn.ezua.com

www.nikolatesla.x24hr.com

www.nmbthg.com


www.yandex.pop-corps.com

www.yandex2unitedstated.2waky.

com


-----

### MITRE

ID Name Description

**Initial Access**

T1566.001 Spear-phishing Attachment Winnti sent spearphishing emails with malicious attachments

**Execution**

Winnti attempted to get users to launch malicious attachT1204.002 User Execution: Malicious File
ments delivered via spearphishing emails.

T1569.002 System Services: Service Execution Winnti created Windows services to execute xDll backdoor

**Persistence**

Boot or Logon Autostart Execution:
T1547.001 Winnti added Registry Run keys to establish persistence.
Registry Run Keys / Startup Folder

Create or Modify System Process:
T1543.003 Winnti has created new services to establish persistence
Windows Service

**Defense evasion**

Winnti used custom cryptographic algorithm to decrypt
T1140 Deobfuscate/Decode Files or Information
payload

T1055 Process Injection Winnti injected ShadowPad into the wmplayer.exe process

Winnti used legitimate executables to perform DLL side-loadT1574.002 Hijack Execution Flow: DLL Side-Loading
ing of their malware

Hide Artifacts: Hidden Files and DirectoT1564.001 Winnti has created a hidden directory under C:\ProgramData
ries

T1027 Obfuscated Files or Information Winnti used VMProtected binaries

Obfuscated Files or Information:
T1027.002 Winnti used a custom packing algorithm
Software Packing

**Credential Access**

Winnti used a variety of publicly available tools like LaZagne
T1555 Credentials from Password Stores
to gather credentials

T1003.001 OS Credential Dumping: LSASS Memory Winnti used get_lsass to dump credentials

**Discovery**

Winnti gathered information of members on the victim’s
T1087.001 Credentials from Password Stores
machine

T1087.002 Account Discovery: Domain Account Winnti gathered domain user account information

Permission Groups Discovery:
T1069.002 Winnti gathered domain group information
Domain Groups


-----

T1071.001 Application Layer Protocol: Web Protocols Winnti uses HTTP(s) for C2.

T1095 Non-Application Layer Protocol Winnti uses TCP and UDP for C2.


About Positive
Technologies

[ptsecurity.com](https://www.ptsecurity.com/ru-ru/)
[pt@ptsecurity.com](mailto:pt%40ptsecurity.com?subject=)
[facebook.com/PositiveTechnologies](http://facebook.com/PositiveTechnologies)
[facebook.com/PHDays](http://facebook.com/PHDays)

Winnti 2020 A4 ENG 0002 01


For 18 years, Positive Technologies has been creating innovative solutions for information security. We develop products and

services to detect, verify, and neutralize the real-world business risks associated with corporate IT infrastructure. Our technol
ogies are backed by years of research experience and the expertise of world-class cybersecurity experts.

Over 2,000 companies in 30 countries trust us to keep them safe.

[Follow us on social media (LinkedIn, Twitter) and the News section at ptsecurity.com.](http://www.linkedin.com/company/positive-technologies)


-----