Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Information on BKDR_SHADOWPAD.A

    • Updated:
    • 14 Mar 2020
    • Product/Version:
    • Deep Discovery Inspector 3.6
    • Deep Discovery Inspector 3.7
    • Deep Discovery Inspector 3.8
    • Deep Security 10.0
    • Deep Security 10.1
    • OfficeScan 11.0
    • OfficeScan XG.All
    • TippingPoint Advanced Threat Protection for Network 3.8
    • Platform:
    • N/A N/A

Security researchers found an advanced backdoor embedded in the server management software products of NetSarang. The backdoor named ShadowPad, which is detected by Trend Micro as BKDR_SHADOWPAD.A, is capable of downloading and executing additional malware, as well as stealing data.


The backdoor was embedded into one of the code libraries (nssock2.dll) used by the following products:

  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220
Build numbers before and after the builds mentioned above are not affected.

The location of the nssosck2.dll file on Xshell 5.0 Build 1322 is shown below:

Location path of nssosck2.dll

It is designed to run in two (2) stages as explained in the following diagram:

Process of nssosck2.dll

On the first stage, the embedded shellcode gathers basic information like network parameters, username, and system time. Afterwards, it forwards these information to the validation C&C servers. It uses domain generation algorithm (DGA) so the domain name changes depending on the month and year based on the system time.

According to the researchers, if the attackers considered the system to be “interesting,” the C&C server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. This is where the second stage begins. On command from the attackers, the backdoor platform would be able to download and execute further malicious code and perform different types of data exfiltration.

Based on the information collected from Trend Micro's Smart Protection Network dated August 16 to September 25, Asia Pacific has the most number of detections related to ShadowPad.


Smart Scan and Conventional Scan

Files related to ShadowPad are already detected as BKDR_SHADOWPAD.A using Enterprise OPR 13.597.00.

Deep Discovery Inspector

Deep Discovery Inspector has the Intrusion Detection Rule 2308 - Possible DGA – DNS (Response), which can help detect network traffic associated with ShadowPad.

Rule 2308 - Possible DGA

Deep Security

Deep Security has a Deep Packet Inspection (DPI) Rule 1008571 - DNS Request To ShadowPad Domain Detection that can help detect and prevent network traffic associated with ShadowPad.

1008571 - DNS Request To ShadowPad Domain Detection


TippingPoint customers are protected from attacks via the ThreatDV Filter 29425 - DNS: ShadowPad Checkin.

ThreatDV Filter 29425 - DNS: ShadowPad Checkin

Here are some more tips to protect your network:

  • If you are using any of the affected builds, it is highly recommend to cease using the software until it is updated.
  • Directly update the software from the client by clicking Help, and then Check for Updates.
  • Download the latest build from NetSarang.
  • Harden the security of the network infrastructure and employ additional mechanisms such as network segmentation, data categorization, and endpoint-level data encryption to prevent further exposure and mitigate any damage.
Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.