Full Report
AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present. Full Report: (APT Group Tracking Report) TA-ShadowCricket_2025.05.23.pdf (This report supports Korean only for now) Since November 2024, AhnLab has been working with the NCSC to analyze the […]
Analysis Summary
# Threat Actor: TA-ShadowCricket
## Attribution & Identity
* **Current Name:** TA-ShadowCricket (Following AhnLab's taxonomy)
* **Former Alias/Association:** Shadow Force
* **Attribution Indication:** Believed to be associated with China, based on RDP access originating from Chinese IPs and C2 server access from a Chinese IP address.
* **Internal Tracking ID (AhnLab):** Larva-24013 (Previously unidentified)
## Activity Summary
TA-ShadowCricket has been active since 2012, operating quietly for over 13 years. Investigations began in November 2024, analyzing malicious IRC servers and associated malware, leading to formal identification. The group has maintained consistent attack momentum, often reusing malware names and maintaining control over compromised systems spanning over a decade. Since 2023, they have remained highly active. The actor operates a botnet comprising over 2,000 compromised systems across 72 countries, managed via an IRC server. They have not been observed demanding ransom or leaking stolen data, focusing instead on long-term exfiltration and infrastructure consolidation for potential future large-scale operations (e.g., DDoS attacks).
## Tactics, Techniques & Procedures
The infection process is broadly divided into three stages:
* **Stage 1: Reconnaissance and Installation/Download:**
* Privilege Escalation and System Information Collection.
* Using downloaders to fetch secondary payloads.
* Modifying system files for persistence.
* **Stage 2: Backdoor Deployment:**
* Installing backdoors for remote access and command execution.
* **Stage 3: Additional Malicious Behaviors:**
* Data collection, credential theft, and resource hijacking.
**Specific TTPs & Malware Behaviors:**
* **Initial Access:** Primarily targeting externally exposed Windows servers via Remote Desktop Protocol (RDP) or poorly managed Microsoft SQL (MS-SQL) servers.
* **Persistence/Execution:**
* Using `Pemodifier` (iat.exe or iatinfect.exe) to patch Windows executable files to load malicious DLLs.
* Utilizing the WinPcap packet capture library to send network packets with a specific "Magic Sequence" to activate the ShadowForce backdoor.
* The Maggie backdoor is implemented as an Extended Stored Procedure (ESP) in MS SQL Server, controlled via SQL queries.
* **C2 Communication:** Operates an IRC botnet structure; backdoors do not rely on fixed C&C servers but communicate via the IRC infrastructure.
* **Post-Exploitation Activity:** Confirmed installation of keyloggers, credential stealers, and cryptocurrency miners.
**Malware/Tools Mentioned:**
* **Stage 1:** Reconnaissance tools (unnamed), `SqlShell`, Downloader (2024), `Pemodifier` (2014-Patching Tool).
* **Stage 2:** Backdoors: `Wgdrop` (IRC Bot, 2012), `Sqldoor` (2019-2024), `Maggie` (since 2021, replacing ShadowForce).
* **Stage 3:** `CredentialStealer` (2023), `Detofin` (Hooking via Detour, 2024), `Miner` (2021), `MaggieScan` (MS-SQL Scanner), `ShadUser` (Account Management, 2021), `AddPath` (Defender exclusion adder, 2024), `Fport/Mport` (Port Mapping, 2021).
* **Code Keywords:** ‘Melody’, ‘Syrinx’, and ‘WinEggDrop’.
## Targeting
* **Sectors:** General IT infrastructure, specifically focused on servers with weak configurations (RDP, MS-SQL).
* **Geography:** Primarily the Asia-Pacific region, with South Korea noted as a base of activity. Global reach confirmed via botnet distribution.
* Global Affected IPs (Over 2,000): China (895), Korea (457), India (98), Vietnam (94), Taiwan (44), Germany (38), Indonesia (37), Thailand (31), United States (25).
* **Victims:** Over 2,000 systems across 72 countries have been compromised and integrated into the botnet. Specific organizational victims were not named.
* **Access Vector:** Active RDP access and control observed from July 2020 to February 2025.
## Tools & Infrastructure
* **Malware Families:** Maggie, ShadowForce, Wgdrop, Sqldoor, SqlShell, CredentialStealer, Detofin, Miner.
* **Infrastructure (C2):** IRC Server structure is heavily utilized.
* **FQDNs (Defanged):** `abc[.]itembuy[.]org`, `irc[.]itembuy[.]org`, `www[.]itembuy[.]org`
* **IPs (Defanged):** `1[.]234[.]4[.]115`, `114[.]202[.]2[.]32`, `121[.]178[.]180[.]210`, `210[.]127[.]211[.]40`, `211[.]204[.]100[.]20`
* A Korean IP address is currently connected to the primary IRC domain.
## Implications
TA-ShadowCricket represents a long-running, established threat actor focused on stealthy data exfiltration and maintaining a massive, resilient botnet infrastructure (IRC-controlled). Their longevity, sustained operations without immediate financial extortion, and technical sophistication (e.g., custom ESP backdoors) suggest a goal extending beyond typical cybercrime, possibly espionage or intelligence gathering, though the presence of coin miners introduces ambiguity regarding state sponsorship. The actor is currently prepared to escalate activities.
## Mitigations
* Immediately block access to the identified IRC server domains and IP addresses.
* Promptly detect, neutralize, and remove associated malware strains (including file names such as `ntuser.dat` and `re.0001`).
* Aggressively secure externally exposed Windows servers, focusing on RDP access through strong authentication and network segmentation.
* Patch and secure all Microsoft SQL servers against common vulnerabilities, especially if accessible externally.
* Monitor for indicators of file patching or DLL injection, particularly related to Windows operating system files.