The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, DDoS, OpenSSL, Ransomware, Russia, Spyware, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)
(published: October 27, 2022)
ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group).Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring.MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | anomali cyber watch active probing revealed shadowpad fodcha hides behind obscure awaiting openssl patch
