Security researchers found an advanced backdoor embedded in the server management software products of US and South Korea-based NetSarang. Named ShadowPad (detected by Trend Micro as BKDR_SHADOWPAD.A), the backdoor is capable of downloading and executing additional malware as well as stealing data.
NetSarang’s suite includes software for managing networks, servers, and system administration workstations. Affected organizations include those from industries such as financial institutions such as banks, energy, and pharmaceutics.
According to researchers, ShadowPad will call out to certain attacker-controlled domains and send the infected system’s information every eight hours. It’s also coded to call out to different domains every month. If the data sent to the attackers are of any interest, their command and control (C&C) servers will reply by triggering the backdoor’s routine to deliver additional payloads.
ShadowPad’s malicious codes were found to have been injected into a version of a dynamic-link library file (DLL), nssock2.dll, which was hosted on NetSarang’s website on July 17 and remained undetected until now. Also of note is ShadowPad’s level of obscurity, comprising layers of encryption and features a tiered mechanism that deterred the backdoor from activating unless its C&C server sent a particular packet to the compromised system.
NetSarang has acknowledged the incident, and has started implementing countermeasures, telling Ars Technica, “we've created a completely new and separate infrastructure and have wiped every single device which will be placed into this new infrastructure. Each device is then examined, white-listed, and then placed into the new infrastructure one-by-one. This process will take several weeks, but we need to ensure that a compromise such as this is never again possible at NetSarang.”
NetSarang's software is just one of many that were misused to deliver malware. A legitimate accounting software was abused to distribute Petya, for instance, while Mac ransomware KeRanger was embedded into a BitTorrent client. Even official releases of online games were infected with the notorious PlugX backdoor. The mirror download server of a Mac-based open-source video transcoding application was also compromised to deliver the Proton backdoor.
As per NetSarang’s advisory, owners and managers of the affected software are highly encouraged to install the update. The affected builds are:
Addendum: Updated as of August 29, 2017, 7:50 PM PDT to include Trend Micro™ Deep Security™ and TippingPoint solutions.
Trend Micro Solutions
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update.
Trend Micro’sHybrid Cloud Securitysolution, powered by XGen™ security and features Trend Micro™ Deep Security™, delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads/servers.