Views:

The backdoor was embedded into one of the code libraries (nssock2.dll) used by the following products:

  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220
 
Build numbers before and after the builds mentioned above are not affected.

The location of the nssosck2.dll file on Xshell 5.0 Build 1322 is shown below:

Location path of nssosck2.dll

It is designed to run in two (2) stages as explained in the following diagram:

Process of nssosck2.dll

On the first stage, the embedded shellcode gathers basic information like network parameters, username, and system time. Afterwards, it forwards these information to the validation C&C servers. It uses domain generation algorithm (DGA) so the domain name changes depending on the month and year based on the system time.

According to the researchers, if the attackers considered the system to be “interesting,” the C&C server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. This is where the second stage begins. On command from the attackers, the backdoor platform would be able to download and execute further malicious code and perform different types of data exfiltration.

Based on the information collected from Trend Micro's Smart Protection Network dated August 16 to September 25, Asia Pacific has the most number of detections related to ShadowPad.

BKDR_SHADOWPAD.A Detections

Smart Scan and Conventional Scan

Files related to ShadowPad are already detected as BKDR_SHADOWPAD.A using Enterprise OPR 13.597.00.

Deep Discovery Inspector

Deep Discovery Inspector has the Intrusion Detection Rule 2308 - Possible DGA – DNS (Response), which can help detect network traffic associated with ShadowPad.

Rule 2308 - Possible DGA

Deep Security

Deep Security has a Deep Packet Inspection (DPI) Rule 1008571 - DNS Request To ShadowPad Domain Detection that can help detect and prevent network traffic associated with ShadowPad.

1008571 - DNS Request To ShadowPad Domain Detection

TippingPoint

TippingPoint customers are protected from attacks via the ThreatDV Filter 29425 - DNS: ShadowPad Checkin.

ThreatDV Filter 29425 - DNS: ShadowPad Checkin

Here are some more tips to protect your network:

  • If you are using any of the affected builds, it is highly recommend to cease using the software until it is updated.
  • Directly update the software from the client by clicking Help, and then Check for Updates.
  • Download the latest build from NetSarang.
  • Harden the security of the network infrastructure and employ additional mechanisms such as network segmentation, data categorization, and endpoint-level data encryption to prevent further exposure and mitigate any damage.
Keywords: BKDR_SHADOWPAD.A,BKDRSHADOWPADA