Backdoor Found in Netsarang Server Manager Software

Home / Articles / Backdoor Found in Netsarang Server Manager Software
Cyber criminals always come up with more and more innovative methods and became more stealthy and lethal. Their techniques are getting more and more sophisticated and are not just limited to direct attacks. They are becoming more keen on corrupting the sources.
Recently, they have managed to inject malicious APT in the update process of a popular software package used by many reputed organizations in Finance, Media, Energy and Medical Industry. This advanced backdoor is an APT and resides in the system without detection unless someone activates it.
It took researchers only 17 days before they discovered it and dissected the process by which they have achieved it.
This secret backdoor is named "ShadowPad", this backdoor gives attackers complete control over networks hidden behind crytographically signed software "Netsarang".
>If you are still using the software listed please ask vendor for updates.

How they did it?

As per researchers at Kaspersky Labs who discovered this well-hidden backdoor; someone managed to infiltrate the Netsarang's update servers stealthly inserting the backdoor into software update. So, as soon as the customers updates their systems that malicious code was also added to their legitimate signed certificate.
The attackers behind Petya/NotPetya ransomware which infected systems around the world in June (which was an orchestrated wiper attack) used the same tactics with Ukrainian financial software called MeDoc and replaced the updates with NotPetya infected software.

"ShadowPad is an example of the dangers posed by a successful supply-chain attack," Kaspersky Lab researchers said in their blog post published Tuesday. "Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components."

The secret backdoor was located in the nssock2.dll library within NetSarang's Xmanager and Xshell software suites that went live on the NetSarang website on July 18.

However, Kaspersky Labs researchers discovered the backdoor and privately reported it to the company on August 4, and NetSarang immediately took action by pulling down the compromised software suite from its website and replacing it with a previous clean version.

The affected NetSarang's software packages are:

  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220

What is the Damage?

ShadowPad is a hidden backdoor code in several layers of encrypted code that is decrypted only intended.


>"The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (activation C&C server)," the researchers wrote.Until then, the backdoor pings out every 8 hours to a command-and-control server with basic information on the compromised computers, including their domain names, network details, and usernames.

Here's how the attackers activate the backdoor:
The activation of the backdoor was eventually triggered by a specially crafted DNS TXT record for a specific domain name. The domain name is generated based on the current month and year, and performs a DNS lookup on it.
Once triggered, the command and control DNS server in return sends back the decryption key which is downloaded by the software for the next stage of the code, effectively activating the backdoor.

Once activated, the ShadowPad backdoor provides a full backdoor for an attacker to download and run arbitrary code, create processes, and maintain a virtual file system (VFS) in the registry, which is encrypted and stored in locations unique to each victim.

Kaspersky researchers said they could confirm activated backdoor in one case, against an unnamed company located in Hong Kong.

How to Detect this Backdoor and Protect Your Company

The company has rolled out an update to kill the malicious software on August 4, and is investigating how the backdoor code got into its software.

Anyone who has not updated their NetSarang software since then is highly recommended to upgrade to the latest version of the NetSarang package immediately to protect against any threats.

Additionally, check if there were DNS requests from your organization to the following list of domains. If yes, the requests to those domains should be blocked.

  • ribotqtonut[.]com
  • nylalobghyhirgh[.]com
  • jkvmdmjyfcvkf[.]com
  • bafyvoruzgjitwr[.]com
  • xmponmzmxkxkh[.]com
  • tczafklirkl[.]com
  • notped[.]com
  • dnsgogle[.]com
  • operatingbox[.]com
  • paniesx[.]com
  • techniciantext[.]com

>NOTE: NetSarang installation kits from April do not include the malicious library.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please Answer to Proceed? *