Detects backdoor on NetSarang's server management software

Researchers at Kaspersky Lab have found a backdoor hidden on NetSang's server management software. Named Shadowpad, it is hidden on the nssock2.dll library in NetSarang's Xmanager and Xshell software. Every 8 hours it will ping once to the C&C server along with the identity of the hacked computer, network details and user name.

This backdoor is enabled as follows: .DLL creates domain names based on months and years, performs DNS searches on it. A DNS TXT record created specifically for the domain will open the channel to the control server, the decryption key will be downloaded by the software and the next stage will be decrypted. This section will expand the back door for an attacker to run code and data will leak.

If you can set the domain name for a given month and year and mimic the control server, you can also control infected organizations with NetSarang's tool.

The infected software packages include:

1. Xmanager Enterprise 5.0 Build 1232
2. Xmanager 5.0 Build 1045
3. Xshell 5.0 Build 1322
4. Xftp 5.0 Build 1218
5. Xlpd 5.0 Build 1220

Supposedly someone hacked NetSarang's system and silently inserted the back door, the backdoor code was silently implanted for testing through software updates with legitimate passwords.

Detects backdoor on NetSarang's server management software Picture 1
The back door is silently inserted into NetSarang's software

'ShadowPad is an example of how successful and wide-ranging supply chain attacks can be dangerous,' said Igor Soumenkow from global research and analysis team on Tuesday. 'With the opportunity to access an attacker's data, it is more likely to be re-produced multiple times with more widely used software components.'

Kaspersky discovered malware when investigating suspicious DNS requests from a financial customer network in Hong Kong - basically ping times every 8 hours. The team discovered that when enabled, Shadowpad will download multiple scripts from the C&C server and hide it on a virtual file system inside the registry.

NetSarang has released an update to prevent it and proceeds to check how the code has entered the software. It first appeared on July 13 and was delivered to customers five days later on July 18. If you are using a dangerous version, you should fix it right away. Antivirus tools also need to be updated to find the .DLL file hacked.

Kaspersky said that malware is similar to the attack code of Winnti and PlugX used by Chinese hackers.

'Unfortunately, the release build for our product suite on July 18 has backdoors to help attackers exploit without us knowing,' NetSarang said. 'Security for customers and user bases is our highest priority and ultimately our responsibility. The fact that groups take advantage of legitimate software to gain illicit profits is increasingly worrying that NetSarang and many other companies in the computer software industry are seriously looking at it. '