ShadowNet

Description

(Citizen Lab) ShadowNet malware leverages Windows Management Instrumentation (WMI), a system tool meant for administrators. Its intended usage as a tool for collecting system information and automation makes it an ideal mechanism for gathering and exfiltrating data. The use of legitimate Windows features can make it more difficult for administrators to identify activity as malicious.

ShadowNet typically uses multi-layered C2 infrastructure that first connects to blog websites and then retrieves C2 information from encoded strings left on the blog. By using blog sites as intermediaries the attackers can maintain control of compromised machines even if a C2 is blocked by a network firewall or otherwise goes down. If a C2 needs to be updated the attackers can simply point the intermediaries to new servers.

Names

Name
ShadowNet

Type

Backdoor
Info stealer
Exfiltration

Information

https://citizenlab.ca/2015/03/tibetan-uprising-day-malware-attacks/

Other Information

Uuid

93ab0ca2-e9e1-422e-b35e-04fe80d4974d

Last Card Change

2020-04-20

Threat Intelligence Garden

Explorer

ShadowNet

ShadowNet

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks