Cybercrime TTPs May Come and Go but the Actors Behind Them Stay the Same: The ShadowGate Case

in cybersecurity •  5 years ago 

Cybercriminals and gangs come and go as we’ve seen throughout the Internet’s history. Their tools, tactics, and procedures or so-called TTPs constantly evolve as well in line with enhancements to the way networks and systems are secured against threats. But one thing is clear, cyber attackers don’t stop unless they’re incarcerated. Such is the case we’re now seeing with the ShadowGate or WordsJS gang. So how do companies avoid becoming their victim?

A great means to avoid becoming a party—whether a victim or an unwary accomplice—is by keeping your domain threat-free. Let’s dissect the crimes that the ShadowGate group has been involved in to see how using a WHOIS database download can help.

Getting to Know the Gang and Their Crimes
The ShadowGate gang first came into the scene back in 2015 by launching malvertising attacks against companies in Asia, particularly South Korea. They infected various organizations’ websites and pages with a backdoor that pushed malvertisements onto visitors’ systems. The infected systems then sent stolen credentials and personal information to the attackers’ command-and-control or C&C servers.

The ShadowGate crew kept at their schemes until around 2016 then went on a two-year hiatus. That wasn’t the end of the line for them though, as they have recently resurfaced with a number of new malicious schemes while casting an even bigger net to target not just Asian companies, but practically any organization worldwide.

Since their tool back then—Revive/OpenX advertising software—was taken down, they now come armed with a more untraceable custom-made exploit kit dubbed “Greenflash Sundown” that not only carried malvertising, but also cryptocurrency-mining and ransomware payloads.

Apart from the use of the same exploit kit, these attacks also made use of unsuspecting website and page owners’ domains to spread malware mayhem.

Malvertising
In such an attack, the ShadowGate gang injected various companies’ subdomains with a backdoor (aided by the Neutrino Exploit Kit) that sent the said sites’ and pages’ visitors stolen information to their C&C server.

This attack shows why it’s important to not just maintain your domains’ health and safety. You also need to pay attention to all of your subdomains because threat actors surely do.

Cryptocurrency Mining
In this attack, the ShadowGate crew injected target organizations’ sites and pages with cryptocurrency-mining malware that used the victims’ resources to line their pockets. Such a case highlights why anyone with an online presence needs to ensure that threat actors are not abusing your infrastructure for their own gain. Blocking the access of known indicators of compromise or IoCs (in this case, domains) to your virtual properties should beef up your cyber defense.

Ransomware
In such an attack, the ShadowGate gang injected SEON ransomware into insufficiently secured sites and pages that when executed froze systems and held users’ files hostage until they paid the ransom. This again reiterates the importance of securing all your domains from online threats.

What Can Your Company Do Against the ShadowGate Threat?
Investigating the ShadowGate gang on your own so they’d land in jail is too much for a private individual or company to do. Not to mention, that it’s illegal. However, protecting your own assets isn’t.

The first logical step to securing digital properties is running a complete audit of your assets. Compile a comprehensive list of your domains, including subdomains (if you learned anything from the recent spate of malvertising attacks), with the aid of a WHOIS database download.

Choose one that has an exhaustive list of domains and subdomains that span the entire range of TLD space so you won’t fail to cover all your bases. Make sure your entire virtual real estate has the latest security patches to prevent vulnerability exploitation. Use a virtual patching and/or shielding solution as well. Stay abreast of security-related news so you can constantly update your threat intelligence. If your security solutions don’t block all potential threat vectors, do so on your own. Don’t just limit access blocking to IoCs collated from security feeds. Go the extra mile and find and block all related domains to these via your chosen WHOIS database download service as well.


Protecting your virtual world is not a one-time thing. To ensure your business’s success, do as the cybercriminals do. Stay on the lookout for any and all possible threat sources and prevent these from scaling your company’s walls with your own arsenal of the latest TTPs.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Hey there @alexpolylead, welcome to STEEM. If you join @schoolofminnows, you can receive votes for free.
1. Your post will appear in post-promotion on the discord.
2. Your posts will also get featured on the school of minnows account on steem
https://steemit.com/@schoolofminnows
3. You get votes from other members.
4. The whole thing is FREE.
To join follow this link:
https://steem.host/connect/steempunks