Security researchers found an advanced backdoor embedded in the server management software products of NetSarang. The backdoor named ShadowPad, which is detected by Trend Micro as BKDR_SHADOWPAD.A, is capable of downloading and executing additional malware, as well as stealing data.
The backdoor was embedded into one of the code libraries (nssock2.dll) used by the following products:
- Xmanager Enterprise 5.0 Build 1232
- Xmanager 5.0 Build 1045
- Xshell 5.0 Build 1322
- Xftp 5.0 Build 1218
- Xlpd 5.0 Build 1220
The location of the nssosck2.dll file on Xshell 5.0 Build 1322 is shown below:
It is designed to run in two (2) stages as explained in the following diagram:
On the first stage, the embedded shellcode gathers basic information like network parameters, username, and system time. Afterwards, it forwards these information to the validation C&C servers. It uses domain generation algorithm (DGA) so the domain name changes depending on the month and year based on the system time.
According to the researchers, if the attackers considered the system to be “interesting,” the C&C server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. This is where the second stage begins. On command from the attackers, the backdoor platform would be able to download and execute further malicious code and perform different types of data exfiltration.
Based on the information collected from Trend Micro's Smart Protection Network dated August 16 to September 25, Asia Pacific has the most number of detections related to ShadowPad.
Smart Scan and Conventional Scan
Files related to ShadowPad are already detected as BKDR_SHADOWPAD.A using Enterprise OPR 13.597.00.
Deep Discovery Inspector
Deep Discovery Inspector has the Intrusion Detection Rule 2308 - Possible DGA – DNS (Response), which can help detect network traffic associated with ShadowPad.
Deep Security has a Deep Packet Inspection (DPI) Rule 1008571 - DNS Request To ShadowPad Domain Detection that can help detect and prevent network traffic associated with ShadowPad.
TippingPoint customers are protected from attacks via the ThreatDV Filter 29425 - DNS: ShadowPad Checkin.
Here are some more tips to protect your network:
- If you are using any of the affected builds, it is highly recommend to cease using the software until it is updated.
- Directly update the software from the client by clicking Help, and then Check for Updates.
- Download the latest build from NetSarang.
- Harden the security of the network infrastructure and employ additional mechanisms such as network segmentation, data categorization, and endpoint-level data encryption to prevent further exposure and mitigate any damage.