Noushin Shabab
Kaspersky Lab
Noushin Shabab is a cyber security researcher based in Melbourne Australia specialising in reverse engineering and targeted attack investigations. She joined Kaspersky Lab in 2016 as a senior security researcher in the Global Research & Analysis Team (GReAT). Her research focuses on the investigation of advanced cyber criminal activities and targeted attacks with a particular focus on local threats in the APAC region. Prior to joining Kaspersky Lab, Noushin used to work as a senior malware analyst and software developer for a prominent security software company in Iran. She has first-hand knowledge of rootkit analysis and detection techniques as well as APT attack investigations. Noushin_Shabab_Finding_A_Monster_By_Its_Shadow_AusCERT18

Finding a Monster by its Shadow

In August 2017 Kaspersky Lab has discovered a devastating attack on supply chain. The threat actor, called “ShadowPad” was discovered accidentally in suspicious DNS traffic originating from one of our partner’s network. As far as the partner was in financial industry and suspicious traffic was coming from a system responsible for processing financial transactions this case was given a very high priority. Very soon, we realized that our partner was using backdoored version of server management software, which contained valid digital signature. At the time of research it was available from the official website. Few days after we found that thousands of other organisations were using same backdoored software from the same vendor based in South Korea known as NetSarang. NetSarang Computer Inc is a popular provider of server management tools and secure connectivity solution for customers based in more than 90 countries around the world. Their official website listed dozens of names from TOP500 world’s largest businesses. Incidents like this do not happen often. Investigation revealed that the breach of NetSarang was part of a targeted attack using supply chain. Thousands of infections including our partner was simply collateral damage. It suggests that the attacker was very advanced and extremely powerful. This research focuses on the details and new findings about the ShadowPad malware and the threat actor behind it.