The group employs a customized ShadowPad IIS Listener module to remodel compromised servers right into a resilient, distributed relay community.
This method permits attackers to route malicious site visitors by sufferer infrastructure, successfully turning hacked organizations right into a mesh of command-and-control nodes.
The operation begins by exploiting long-standing vulnerabilities, particularly ASP.NET ViewState deserialization and SharePoint flaws equivalent to ToolShell.
By leveraging leaked machine keys or unpatched endpoints, attackers obtain distant code execution, resulting in full-system compromise.
As soon as established, the malware creates a covert channel that blends seamlessly with reputable net site visitors, making detection exceptionally tough for community defenders monitoring normal protocols.
Verify Level analysts recognized this evolving menace cluster, noting that the group—often known as Earth Alux or REF7707—has considerably refined its tradecraft.
The researchers noticed that Ink Dragon doesn’t merely use victims for information theft however actively repurposes them to assist ongoing operations in opposition to different targets.
Assault chain (Supply – Verify Level)
This creates a self-sustaining infrastructure that obscures the true origin of the assaults whereas maximizing the utility of each compromised asset.
This modular structure grants the attackers persistent entry and the flexibility to pivot laterally throughout networks.
Utilizing native IIS capabilities to intercept and relay communications ensures that command site visitors stays hidden inside normal HTTP streams.
This strategic reuse of compromised property highlights a mature operational philosophy targeted on long-term stealth, resilience, and the continual enlargement of their operational attain.
The ShadowPad IIS Listener Mechanism
The core of this marketing campaign is a customized IIS module that operates otherwise from conventional backdoors.
As an alternative of merely opening a port, it makes use of the HttpAddUrl API to register dynamic URL listeners that intercept particular HTTP requests.
When a request matches the configured sample, the module decrypts the payload to find out if it’s a command.
If the site visitors doesn’t match the proprietary protocol, the module forwards it to the reputable IIS employee, which serves regular net content material to keep away from elevating suspicion.
This stealthy interception permits the implant to coexist with reputable functions with out disrupting service availability.
Relay Community (Supply – Verify Level)
The module makes use of a particular decryption routine to deal with preliminary packets, guaranteeing that solely approved operator site visitors is processed.
def decrypt_first_packet(buf: bytearray, seed: int, size: int):
rely = size – 2
seed_lo = buf[0]
seed_hi = buf[1]
num = (seed_hi << 8) | seed_lo
num &= 0xFFFFFFFF
pos = 2
for _ in vary(rely):
hello = (num >> 16) & 0xFFFF
num = (hello * 0x7093915D – num * 0x6EA30000 + 0x06B0F0E3) & 0xFFFFFFFF
buf[pos] ^= num & 0xFF
pos += 1
return buf
By sustaining separate lists for server and consumer nodes, the malware routinely pairs connections to relay information between them.
This permits the attackers to bridge communications throughout unrelated sufferer networks, complicating attribution and remediation efforts.
This relay logic is supported by granular debug logging, which paperwork byte transfers and helps analysts map the broader communication graph.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most well-liked Supply in Google.
