Names | ShadowNet | |
Category | Malware | |
Type | Backdoor, Info stealer, Exfiltration | |
Description | (Citizen Lab) ShadowNet malware leverages Windows Management Instrumentation (WMI), a system tool meant for administrators. Its intended usage as a tool for collecting system information and automation makes it an ideal mechanism for gathering and exfiltrating data. The use of legitimate Windows features can make it more difficult for administrators to identify activity as malicious. ShadowNet typically uses multi-layered C2 infrastructure that first connects to blog websites and then retrieves C2 information from encoded strings left on the blog. By using blog sites as intermediaries the attackers can maintain control of compromised machines even if a C2 is blocked by a network firewall or otherwise goes down. If a C2 needs to be updated the attackers can simply point the intermediaries to new servers. | |
Information | <https://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/> |
Last change to this tool card: 20 April 2020
Download this tool card in JSON format
Previous: ShadowHammer
Next: ShadowPad Winnti
Changed | Name | Country | Observed | ||
APT groups | |||||
Shadow Network | 2010-2010 |
1 group listed (1 APT, 0 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |