ioc[.]one - OSINT Cyber Threat Intelligence Database

Attacks on industrial control systems using ShadowPad

Show in Graph

Common Information

Type	Value
UUID	20feb34d-6f95-4885-9bde-aaf7590feffe
Fingerprint	5197779c31c6e970d9e3347be42e5a7fadf4c0ce711f35a08f89d68868df481a
Analysis status	DONE
Considered CTI value	2
Text language
Published	July 8, 2022, 3:22 p.m.
Added to db	March 10, 2024, 1:35 a.m.
Last updated	Aug. 31, 2024, 3:01 a.m.
Headline	Attacks on industrial control systems using ShadowPad
Title	Attacks on industrial control systems using ShadowPad
Detected Hints/Tags/Attributes	144/3/103

Source URLs

	Redirection	Url
Details	Source	https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Attacks-on-industrial-control-systems-using-ShadowPad-En.pdf

URL Provider

Details	Provider	Source level domain
Details	kaspersky.com	ics-cert.kaspersky.com

Attributes

Details	Type	#Events	Value
Details	CVE	184	cve-2021-26855
Details	Domain	54	godaddy.com
Details	Domain	338	kaspersky.com
Details	Domain	707	google.com
Details	Domain	2	order.cargobussiness.site
Details	Domain	2	documents.kankuedu.org
Details	Domain	7	live.musicweb.xyz
Details	Domain	7	obo.videocenter.org
Details	Domain	2	tech.obj.services
Details	Domain	2	houwags.defineyourid.site
Details	Domain	2	noub.crabdance.com
Details	Domain	2	grandfoodtony.com
Details	Domain	1	storage.ondriev.tk
Details	Domain	1	api.onedriev.tk
Details	Email	68	ics-cert@kaspersky.com
Details	File	4	aro.dat
Details	File	68	mscoree.dll
Details	File	48	applaunch.exe
Details	File	226	certutil.exe
Details	File	7	iviewers.dll
Details	File	2126	cmd.exe
Details	File	2	ggjrifga.tmp
Details	File	17	quser.exe
Details	File	12	xcopy.exe
Details	File	351	recycle.bin
Details	File	76	ping.exe
Details	File	3	m1.log
Details	File	165	reg.exe
Details	File	96	rar.exe
Details	File	2	10020111desk.rar
Details	File	2	lwefqerm.tmp
Details	File	47	winrar.exe
Details	File	1	xerice.exe
Details	File	175	update.exe
Details	File	2	tech.obj
Details	File	1	viewer.dll
Details	md5	1	91131CCF507F61279268FA857AB53463
Details	md5	1	8D5807D8EE69E472764FAEE7269B460B
Details	md5	1	1A5856C343597DC219E3F5456018612B
Details	md5	1	27F636A36207581E75C700C0E36A8031
Details	md5	1	011BEAF3E9CD2896479313772CD591DE
Details	md5	1	A7F3BF89F0B41704F185545C784B8457
Details	md5	1	35912C914BD84F23203C8FADAC6D0548
Details	md5	1	299980C914250BAC7522DE849F6DF24F
Details	md5	1	381616642D2567F8872B150B37E5196B
Details	md5	1	31FDAE0B71C290440E0B465B17CF3C8D
Details	md5	1	420FCF11240589E8D29DAAB08251831D
Details	md5	1	40CD646554ED42D385CA6B55B9D3397D
Details	md5	1	61BA23B3B3D132FE0825907C0EA58399
Details	md5	1	0CAC537476FD71763C07EDFD7D831F0F
Details	md5	1	80EE7A1E9AD4AC6AFCAC83087DC5360F
Details	md5	1	74E43ECA18E8C92CB332BBB671CE13B8
Details	md5	1	C024E5163AB6DD844813BF0D9A6F082B
Details	md5	1	86B25E416EEE0F5FB17370F3929E45F4
Details	md5	1	8EE863C926D6847D1BF767783E700248
Details	IPv4	2	167.179.64.62
Details	IPv4	1	10.126.209.24
Details	IPv4	1	10.251.115.0
Details	IPv4	2	116.206.92.26
Details	IPv4	1	45.77.249.48
Details	IPv4	1	45.76.54.156
Details	IPv4	1	192.248.151.110
Details	IPv4	1	108.160.133.247
Details	IPv4	1	103.152.255.82
Details	IPv4	1	107.191.47.52
Details	IPv4	1	198.13.44.48
Details	IPv4	1	95.179.142.104
Details	IPv4	1	45.77.243.204
Details	IPv4	1	45.32.101.196
Details	IPv4	1	192.248.180.109
Details	IPv4	1	69.172.80.131
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	40	T1197
Details	MITRE ATT&CK Techniques	227	T1574.002
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	20	T1222.001
Details	MITRE ATT&CK Techniques	94	T1564.001
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	168	T1046
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	29	T1560.002
Details	MITRE ATT&CK Techniques	111	T1119
Details	MITRE ATT&CK Techniques	534	T1005
Details	MITRE ATT&CK Techniques	34	T1114.001
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	99	T1132.001
Details	MITRE ATT&CK Techniques	35	T1090.001
Details	MITRE ATT&CK Techniques	36	T1090.002
Details	MITRE ATT&CK Techniques	102	T1020
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	100	T1567.002
Details	Url	2	http://116.206.92.26:82/update.exe
Details	Url	1	https://order.cargobussiness.site
Details	Url	1	https://documents.kankuedu.org
Details	Url	1	https://live.musicweb.xyz
Details	Url	1	https://obo.videocenter.org
Details	Url	1	https://tech.obj.services
Details	Url	1	https://houwags.defineyourid.site
Details	Url	1	https://noub.crabdance.com
Details	Url	1	https://grandfoodtony.com
Details	Yara rule	1	import "pe" rule apt_shadowpad_iviewers_dll_variant { meta: description = "Rule for detecting Shadowpad iviewers.dll variant" author = "Kaspersky" copyright = "Kaspersky" distribution = "DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM" version = "1.0" last_modified = "2022-01-20" hash = "011BEAF3E9CD2896479313772CD591DE" hash = "A7F3BF89F0B41704F185545C784B8457" hash = "35912C914BD84F23203C8FADAC6D0548" hash = "299980C914250BAC7522DE849F6DF24F" strings: $viewers = "VIEWER.dll" fullword $Iviewers = "IVIEWERS.dll" $oleview = "OLEViewer" $comapi = "viewer Copyright" wide condition: uint16(0) == 0x5A4D and filesize < 2MB and pe.is_dll() and ($Iviewers or $comapi or $viewers) and (not for any i in (0 .. pe.number_of_signatures) : ( pe.signatures[0].subject contains "O=Microsoft Corporation" ) and not $oleview) }