ShadowPad Backdoor Found in Server Management Software

Security researchers found an advanced backdoor embedded in the server management software products of US and South Korea-based NetSarang. Named ShadowPad (detected by Trend Micro as BKDR_SHADOWPAD.A), the backdoor is capable of downloading and executing additional malware as well as stealing data. 

NetSarang’s suite includes software for managing networks, servers, and system administration workstations. Affected organizations include those from industries such as financial institutions such as banks, energy, and pharmaceutics. 

According to researchers, ShadowPad will call out to certain attacker-controlled domains and send the infected system’s information every eight hours. It’s also coded to call out to different domains every month. If the data sent to the attackers are of any interest, their command and control (C&C) servers will reply by triggering the backdoor’s routine to deliver additional payloads. 

ShadowPad’s malicious codes were found to have been injected into a version of a dynamic-link library file (DLL), nssock2.dll, which was hosted on NetSarang’s website on July 17 and remained undetected until now. Also of note is ShadowPad’s level of obscurity, comprising layers of encryption and features a tiered mechanism that deterred the backdoor from activating unless its C&C server sent a particular packet to the compromised system. 

NetSarang has acknowledged the incident, and has started implementing countermeasures, telling Ars Technica, “we've created a completely new and separate infrastructure and have wiped every single device which will be placed into this new infrastructure. Each device is then examined, white-listed, and then placed into the new infrastructure one-by-one. This process will take several weeks, but we need to ensure that a compromise such as this is never again possible at NetSarang.” 

NetSarang's software is just one of many that were misused to deliver malware. A legitimate accounting software was abused to distribute Petya, for instance, while Mac ransomware KeRanger was embedded into a BitTorrent client. Even official releases of online games were infected with the notorious PlugX backdoor. The mirror download server of a Mac-based open-source video transcoding application was also compromised to deliver the Proton backdoor. 

As per NetSarang’s advisory, owners and managers of the affected software are highly encouraged to install the update. The affected builds are:

  • Affected Builds
  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220 

Affected organizations are also urged to adopt best practices, such as hardening the security of their network infrastructure. It’s also recommended to employ additional mechanisms such as network segmentation, data categorization, and endpoint-level data encryption to prevent further exposure and mitigate any damage.

Addendum: Updated as of August 29, 2017, 7:50 PM PDT to include Trend Micro™ Deep Security™ and TippingPoint solutions.

Trend Micro Solutions

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update.

Trend Micro’s Hybrid Cloud Security solution, powered by XGen™ security and features Trend Micro™ Deep Security™, delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads/servers.

Trend Micro Deep Discovery Inspector protects customers from this threat via this DDI Rule:

  • 2308:  Possible DGA - DNS (Response)

Trend Micro™ Deep Security™ protects customers via this DPI rule:

  • 1008571 - DNS Request To ShadowPad Domain Detection
TippingPoint customers are protected from these attacks via this ThreatDV filter:
  • 29425: DNS: ShadowPad Checkin

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.