FacebookTwitterLinkedIn

ShadowPad Backdoor Arises

Hackers are continually innovating and becoming fundamentally sneakier in how they are targeting business. In the NotPetya attack earlier this year we saw hackers dropping malicious code into legitimate accounting software updates. Another instance of corrupting software update mechanisms has again been used. Researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have detected another similar styled attack. Dubbed ShadowPad the secret backdoor gave attackers complete control over networks hidden behind legit cryptographically signed software sold by NetSarang. Founded in 1997 NetSerang develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks. The company has headquarters in both the United States and South Korea with the company boasting clients from banks, media firms, energy companies, and pharmaceutical firms, telecommunication providers, transportation and logistics and other industries.

Injected backdoor through update mechanism

Whomever the authors of the backdoor were put an inordinate amount of time into hiding the backdoor. The suspicious code was hidden within layers of legitimate code found within NetSarang’s software updates. The backdoor, which would allow the hacker control of the targeted network, is located in the nssock2.dll library within NetSarang's Xmanager and Xshell software suites which are used by hundreds of companies. The new updates went live on 18 July and the backdoor was only detected 17 days later. While it was initially believed that no networks were hijacked, Kaspersky revealed later that an unnamed institution in Hong Kong experienced the backdoor used to gain access to sensitive data.

shadowpad backdoor

Kaspersky notified NetSarang who acted quickly to pulling down the compromised updates and replacing them with clean versions. Part of the reason for the slow detection was the requirement for the backdoor to be activated first before malicious packets could be sent to the compromised network. The backdoor would ping out only every 8 hours to a command and control server sending basic information of the compromised network including domain names, network details, and usernames.

How the backdoor is activated

The activation of the backdoor occurs when a specially crafted DNS TXT record for a specific domain name which is generated according to the date. Once triggered the command and control server sends the decryption key for the next stage of the code. Once the decryption key is received the backdoor is effectively open. The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable Latin characters.

Once active ShadowPad provides a complete backdoor to the attacker. The attacker can then download and execute arbitrary code create processes, and maintain a virtual file system (VFS) in the registry, which is encrypted and stored in locations unique to each victim.

Who’s responsible?

The researchers at Kaspersky cannot say with any amount of confidence who could possibly be behind ShadowPad. The authors of ShadowPad were careful not to leave any obvious traces or indicators as to who that might be. The researchers did, however, note that techniques used in ShadowPad were similar to techniques were used in past malware variants PlugX and Winnti, which were allegedly developed by Chinese-speaking authors. While assuming who the authors may be is difficult, it is clear that such attacks are not done by your run of the mill hacker who buys malware on the Dark Web and hopes to infect as many systems as possible in the shortest possible time. In the case of the NotPetya attacks, many experts believe the ransomware was deployed as a smokescreen to hide the original intention of the threat actors. Given the amount of institutions and industries that use NetSarang’s product the potential damage that can be caused is immense, that there is only one instance of the backdoor been triggered there can be a collective sigh of relief.

NetSarang should be congratulated on how they handled the situation. Once notified by Kaspersky, NetSarang informed customers and took down the compromised updates. This is a great example of cooperation between security researchers and development companies that are rare. More often than not many companies will ignore warnings until it is too late and a war of words ensues as to who is responsible.

How to detect the backdoor and protect against further malicious attacks?

NetSarang has rolled out an update that effectively kills the malicious software. It is advised that administrators install the latest version of NetSarang’s package to protect against further threats.

Additionally, administrators can check if there were DNS requests from your organisation to the following domains:

ribotqtonut[.]com
nylalobghyhirgh[.]com
jkvmdmjyfcvkf[.]com
bafyvoruzgjitwr[.]com
xmponmzmxkxkh[.]com
tczafklirkl[.]com
notped[.]com
dnsgogle[.]com
operatingbox[.]com
paniesx[.]com
techniciantext[.]com

If so they should be blocked. Researchers have concluded that the following versions of NetSarang’s product have been infected:

Xmanager Enterprise 5 Build 1232    
Xme5.exe, Jul 17 2017, 55.08 MB    
MD5: 0009f4b9972660eeb23ff3a9dccd8d86    
SHA1: 12180ff028c1c38d99e8375dd6d01f47f6711b97

 

Xmanager 5 Build 1045    
Xmgr5.exe, Jul 17 2017, 46.2 MB    
MD5: b69ab19614ef15aa75baf26c869c9cdd    
SHA1: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d

 

Xshell 5 Build 1322    
Xshell5.exe, Jul 17 2017, 31.58 MB    
MD5: b2c302537ce8fbbcff0d45968cc0a826    
SHA1: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6

 

Xftp 5 Build 1218    
Xftp5.exe, Jul 17 2017, 30.7 MB    
MD5: 78321ad1deefce193c8172ec982ddad1    
SHA1: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b

 

Xlpd 5 Build 1220    
Xlpd5.exe, Jul 17 2017, 30.22 MB    
MD5: 28228f337fdbe3ab34316a7132123c49    
SHA1: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe

The shadow war intensifies

While previous cyber threats have made international headlines and caused a media storm within the IT sector they were fairly amateurish in execution. The NotPetya campaign earlier than this year displayed the resourcefulness and inventiveness of what could be achieved by hackers. ShadowPad is an example of both how dangerous and ingenious a successful supply chain attack can be. Given the advantages of covert data collection, similar attacks can be expected time and time again. Such attacks are likely to target software vendors providing software and solutions to multiple industries and companies within varied economic sectors. Although it may seem that detecting the malicious activity 17 days after it was deployed may seem like an unbearably long time, in most cases such attacks can take months or even years to detect. In this instance, the value of threat intelligence and open cooperation have been proven invaluable measured against the potential damage that may have been caused.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal