Every day, cyber criminals are finding new ways to bypass security, slither their way into our devices, steal our data and personal information, and all that with being almost impossible to detect.
The most recent case has been the case of cyber criminals infiltrating the update mechanism of a popular server management software package, changing it so it had a backdoor that went at least 17 days undiscovered by anyone.
The name of the secret backdoor is ShadowPad, and it gave the attackers complete control over networks hidden behind legit cryptographically signed software sold by NetSarang. This software is used by hundreds of media firms, banks, energy companies, and telecommunication providers, pharmaceutical firms, transportation and logistics and other industries.
Researchers at Kaspersky LAbs were the ones that discovered the backdoor, and as they said, NetSarang’s update mechanism has been hijacked and a backdoor has been inserted in the software update. This way, the malicious code got to all the NetSarang’s clients. The same tactic was used by the hackers behind the Petya/NotPetya ransomware that infected computers around the world in June, compromising the update mechanism for Ukrainian financial software provider called MeDoc.
The location of the secret backdoor was in the nssock2.dll library in the NetSarang’s Xmanager and Xshell software suites that posted on July 18. Kaspersky discovered the backdoor on August 4, immediately informing the company which removed the contaminated update and replacing it with its previous clean version.
The affected NetSarang’s software packages are:
Xmanager 5.0 Build 1045
Xmanager Enterprise 5.0 Build 1232
Xshell 5.0 Build 1322
Xlpd 5.0 Build 1220
Xftp 5.0 Build 1218
The ShadowPad backdoor code was found hiding in multiple layers of encrypted code that were decrypted only in intended cases. According to researchers, the tiered structure prevented the backdoor from being activated until a special packet is received from the first layer command and control (C&C) server.
The way the attackers activated the backdoor was the following:
To activate the backdoor, it needs to be triggered by a specially crafted DNS TXT record for a certain domain name. The domain name is generated based on the current month and year and performs a DNS lookup on it.
When triggered, C&C DNS server sends the decryption key in return. The key is downloaded via software for the next stage of the code that activates the backdoor.
When the backdoor is activated, it provides a full backdoor for the attacker to download and run arbitrary code, create processes, and manage a Virtual File System (VFS) in the registry. The registry is encrypted and stored in locations unique to each victim.
The researchers from Kaspersky LAb were able to confirm activated backdoor in one case, which was an unnamed company based in Hong Kong. The company deleted the update that carried the malicious backdoor on the same day the Kaspersky researchers informed of their findings and is now in the process of finding out how the backdoor code got into its software.
Anyone who has not updated their NetSarang software since then is highly recommended to upgrade to the latest version of the NetSarang package immediately to protect against any threats.
Additionally, check if there were DNS requests from your organization to the following list of domains. If yes, the requests to those domains should be blocked.