ShadowPad Trojan Detection: Redfly Hackers Apply a Nefarious RAT to Hit National Power Grid Organization in Asia

ShadowPad backdoor is popular among multiple state-backed APTs, including China-linked hacking groups, widely used in their cyber espionage campaigns. A nefarious cyber espionage group known as Redfly has taken advantage of ShadowPad’s offensive capabilities targeting Asia’s state electricity grid organization for half a year.

Shadowpad Trojan Detection

The growing threat of nation-state APT attacks poses an increasing menace to the critical infrastructure sector. Since Industroyer malware by Sandworm was discovered to be used in attacks against the Ukrainian power grid in 2017, state-backed actors have developed novel approaches to penetrate and disrupt critical infrastructure facilities. 

To identify and proactively defend against possible attacks relying on ShadowPad Trojan used by Redfly APT to target Asia’s electricity grid, SOC Prime Platform aggregates a batch of curated Sigma rules compatible with 28 SIEM, EDR, XDR, and Data Lake platforms. 

Possible PackerLoader Execution To Execute Shellcode By Detection of Associated Command (via process_creation)

This rule by our experienced Threat Bounty developer Mustafa Gurkan Karakaya detects possible PackerLoader execution via rundll by the detection of the associated command. The detection algorithm is compatible with 24 technology formats while addressing Execution tactics and Command and Scripting Interpreter as a corresponding technique. 

Possible ShadowPad Trojan Persistence Activity Through Creating Service By Redfly Group (via security)
This rule by Mustafa Gurkan Karakaya detects the possible persistent activity of the Redfly group by creating an associated service. The detection algorithm is compatible with 18 technology formats and enriched with extensive metadata alongside CTI links. 

To obtain the full detection stack helping to identify malicious activity linked to ShadowPad Trojan, hit the Explore button below. All the Sigma rules are mapped to MITRE ATT&CK framework and enriched with threat intel references to streamline threat investigation. 

Explore Detections

Eager to hunt on threats and share your expertise with peers? Join our Threat Bounty Program and participate in the crowdsourcing initiative on Sigma rules creation. Enhance your threat hunting and detection engineering skills, network with industry experts, expand your professional horizons, and earn money for your contribution. 

Shadowpad Trojan Analysis

ShadowPad RAT is an advanced modular backdoor designed as the next iteration of PlugX malware. ShadowPad can boast multiple sophisticated capabilities and has gained in popularity among hacking collectives due to its cost-effectiveness. Adversaries apply this Trojan to deploy malicious payloads, establish and maintain C2 communication, and modify plugins. ShadowPad malware has frequently been observed in attacks linked to Chinese APT groups enabling adversaries to maintain long-term presence in breached networks. 

The latest campaign targeting the national electricity grid organization in Asia shares similar tools and infrastructure with the earlier attacks linked to the cluster of APT41 activity. Cybersecurity researchers at Symantec track a set of adversaries behind the relevant offensive cluster known under the monikers Blackfly and Grayfly. However, Symantec distinguishes a separate hacking collective behind the latest adversary activity, Redfly, with the critical national infrastructure being its key target.

Researchers observed the long-term presence of ShadowPad malware in the breached network of the targeted organization covering a six-month period. The persistent intrusion against the national grid poses an escalating threat to the critical infrastructure of other organizations, potentially resulting in significant economic harm, especially during periods of political instability.

The offensive toolkit leveraged by Redfly involves the upgraded ShadowPad interaction with the malicious components disguised as VMware files that are further deployed on the compromised system. ShadowPad gains persistence by generating relevant services that are intended to run the malicious EXE and DLL files upon the system setup.

In addition, Redfly takes advantage of a keylogging utility used to store captured keystrokes in log files on the targeted instances along with Packerloader, which is intended to load and run shellcode. The latter is stored using AES encryption enabling adversaries to evade detection and launch arbitrary files or commands on the vulnerable devices. Redfly has also been noticed applying PowerShell to run commands enabling them to collect information about the storage devices linked to the compromised system. To move laterally, adversaries leveraged the DLL side-loading technique, scheduled tasks to execute legit binaries, and stolen user credentials. Redfly also used a renamed version of the ProcDump command-line utility to dump credentials from LSASS and further apply them for authentication on other instances within the network.

The Redfly’s attack targeting an Asia power grid organization is the latest in a wave of cyberespionage attacks against critical infrastructure. In late spring 2023, the U.S. and international cybersecurity authorities released a joint alert covering the escalating risks of China-backed APT activity targeting the national critical infrastructure, with the attack surface expansion on a global scale. The latest intrusion by Redfly along with the previous campaigns covered in the joint advisory requires ultra-responsiveness from defenders to timely identify the threat and remediate its impact.

SOC Prime curates the world’s largest knowledge base of the latest threat intelligence linked to MITRE ATT&CK, 500+ Sigma rules for APT detection, vulnerability exploitation, and mitigation guidance searchable at sub-second performance. Browse SOC Prime to proactively detect potential intrusions and delve into relevant CTI to eliminate the risks before adversaries have a chance to strike.