{"id":434356,"date":"2022-10-27T17:13:23","date_gmt":"2022-10-27T19:13:23","guid":{"rendered":"https:\/\/teknomers.com\/fr\/des-chercheurs-exposent-plus-de-80-serveurs-shadowpad-malware-c2\/"},"modified":"2022-10-27T17:13:23","modified_gmt":"2022-10-27T19:13:23","slug":"des-chercheurs-exposent-plus-de-80-serveurs-shadowpad-malware-c2","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/des-chercheurs-exposent-plus-de-80-serveurs-shadowpad-malware-c2\/","title":{"rendered":"Des chercheurs exposent plus de 80 serveurs ShadowPad Malware C2"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><img decoding=\"async\" alt=\"Logiciel malveillant ShadowPad\" border=\"0\" data-original-height=\"380\" data-original-width=\"728\" src=\"https:\/\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEh8ne66RXxVI-7GwzIZERx462gjHp2v3IlkcFA4TG6e6K1-rmtaDUx8wu7giwwQqN3q__TJHIBPmuOeW-qla2fWtBiXAJqq6NU1PghHzejGh3IpBFCGc020QVQHpjubgy7R7DQKxP-FN8x341g64Yg0inMLr8aX1bLpB_fJQDw0rsx5ds2OCwv5lwRR\/s728-e1000\/botnet.jpg\" title=\"Logiciel malveillant ShadowPad\"\/><\/div>\n<p>Pas moins de 85 serveurs de commande et de contr\u00f4le (C2) ont \u00e9t\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/carbonblack\/active_c2_ioc_public\/blob\/main\/shadowpad\/shadowpad_202210.tsv\" target=\"_blank\">d\u00e9couvert<\/a> pris en charge par le malware ShadowPad depuis septembre 2021, avec une infrastructure d\u00e9tect\u00e9e aussi r\u00e9cemment que le 16 octobre 2022.<\/p>\n<p>C&#8217;est selon l&#8217;unit\u00e9 d&#8217;analyse des menaces (TAU) de VMware, qui <a rel=\"nofollow noopener\" href=\"https:\/\/blogs.vmware.com\/security\/2022\/10\/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html\" target=\"_blank\">\u00e9tudi\u00e9<\/a> trois variantes de ShadowPad utilisant les protocoles TCP, UDP et HTTP(S) pour les communications C2.<\/p>\n<p>ShadowPad, consid\u00e9r\u00e9 comme le successeur de PlugX, est une plate-forme modulaire de logiciels malveillants partag\u00e9e en priv\u00e9 entre plusieurs acteurs chinois parrain\u00e9s par l&#8217;\u00c9tat depuis 2015.<\/p>\n<p>La soci\u00e9t\u00e9 ta\u00efwanaise de cybers\u00e9curit\u00e9 TeamT5, plus t\u00f4t en mai, a divulgu\u00e9 les d\u00e9tails d&#8217;un autre implant modulaire China-nexus nomm\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/www.blackhat.com\/asia-22\/briefings\/schedule\/index.html#the-next-gen-plugxshadowpad-a-dive-into-the-emerging-china-nexus-modular-trojan-pangolinrat-25950\" target=\"_blank\">Pangolin8RAT<\/a>qui est consid\u00e9r\u00e9 comme le successeur des familles de logiciels malveillants PlugX et ShadowPad, le reliant \u00e0 un groupe de menaces appel\u00e9 Tianwu.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"567\" data-original-width=\"728\" src=\"https:\/\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEjU6zwNib1IklC9GWNBMows8D7jpKPMJOlBYQbZJEWQQFZBZX46sQNFxAJxmucQiIojP-_MNF3N8zDXYwtdmO8zV7tfx9-__SejFAVB75STvGBUGGF0bY7HG-O1z06AXT4Qm6Ethypy_radZ55imh_DaOfXEu8jwe-dN--FdM0EXWtPQP-JjQIxmA1Y\/s728-e100\/malware.jpg\"\/><\/div>\n<p>Une analyse des trois artefacts ShadowPad, qui ont \u00e9t\u00e9 pr\u00e9c\u00e9demment utilis\u00e9s par Winnti, Tonto Team et un groupe de menaces \u00e9mergentes nomm\u00e9 Space Pirates, a permis de d\u00e9couvrir les serveurs C2 en scannant la liste des h\u00f4tes ouverts g\u00e9n\u00e9r\u00e9e par un outil appel\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/zmap\/zmap\" target=\"_blank\">ZMap<\/a>a d\u00e9clar\u00e9 VMware.<\/p>\n<div class=\"ad_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/crowd-mid-d\" target=\"_blank\" title=\"CyberSecurity\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEglTybVbyQ3y6xCIxW9BIpqhgWBf_IhNgCo44HrgwUeYVi_GwvasznH93LLdkqJLwdp4DUkFkILg6m3WDgkue7MFxmbzFxmTBe7-pukEjyvUZ3j9yGyBcL2yUAZVFSQkjSric7YYfU8WgwHwYsS2-3wZ1zLQDAqgkoEpk5kZsbUuyh0UlV8nq7PplYEgQ\/s1600\/banners-crowdsec-728.png\" width=\"728\" height=\"90\"\/><\/a><\/center><\/div>\n<p>La soci\u00e9t\u00e9 a en outre r\u00e9v\u00e9l\u00e9 avoir identifi\u00e9 Spyder et <a rel=\"nofollow noopener\" href=\"https:\/\/jsac.jpcert.or.jp\/archive\/2021\/pdf\/JSAC2021_301_shui-leon_en.pdf\" target=\"_blank\">InverserFen\u00eatre<\/a> des \u00e9chantillons de logiciels malveillants communiquant avec des adresses IP ShadowPad C2, qui sont toutes deux <a rel=\"nofollow noopener\" href=\"https:\/\/news.drweb.com\/show\/?i=14154\" target=\"_blank\">outils malveillants<\/a> mis \u00e0 profit par APT41 (alias Winnti) et LuoYu.<\/p>\n<p>De plus, des chevauchements ont \u00e9t\u00e9 observ\u00e9s entre l&#8217;\u00e9chantillon Spyder susmentionn\u00e9 et un composant Worker de l&#8217;auteur de la menace. <a rel=\"nofollow noopener\" href=\"https:\/\/blogs.vmware.com\/security\/2019\/09\/cb-tau-threat-intelligence-notification-winnti-malware-4-0.html\" target=\"_blank\">Cheval de Troie Winnti 4.0<\/a>.<\/p>\n<p>&#8220;Scanner les logiciels malveillants APT C2 sur Internet, c&#8217;est parfois comme trouver une aiguille dans une botte de foin&#8221;, a d\u00e9clar\u00e9 Takahiro Haruyama, chercheur principal sur les menaces chez VMware TAU.  &#8220;Cependant, une fois que l&#8217;analyse C2 fonctionne, elle peut changer la donne en tant que l&#8217;une des approches de d\u00e9tection des menaces les plus proactives.&#8221;<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/10\/researchers-expose-over-80-shadowpad.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pas moins de 85 serveurs de commande et de contr\u00f4le (C2) ont \u00e9t\u00e9 d\u00e9couvert pris en charge par le malware ShadowPad depuis septembre 2021, avec une infrastructure d\u00e9tect\u00e9e aussi r\u00e9cemment que le 16 octobre 2022. C&#8217;est selon l&#8217;unit\u00e9 d&#8217;analyse des menaces (TAU) de VMware, qui \u00e9tudi\u00e9 trois variantes de ShadowPad utilisant les protocoles TCP, UDP [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[12848,4168,4158,4165,4161,133,39576,4157,4159,4171,4170,4167,4174,4160,4163,4162,4172,4169,8541,83812,4166,4164],"class_list":["post-434356","post","type-post","status-publish","format-standard","hentry","category-technologie","tag-chercheurs","tag-comment-pirater","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-des","tag-exposent","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-logiciel-malveillant-de-ransomware","tag-malware","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-securite-informatique","tag-securite-internet","tag-serveurs","tag-shadowpad","tag-violation-de-donnees","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/434356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=434356"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/434356\/revisions"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=434356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=434356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=434356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}