Security Experts:

Backdoors Found in Tools Used by Hundreds of Organizations

Many organizations around the world using connectivity tools from NetSarang are at risk after researchers at Kaspersky Lab discovered that malicious actors had planted a backdoor in several of the company’s products.

NetSarang, which has offices in the United States and South Korea, specializes in secure connectivity solutions. Some of its most popular products are Xshell, Xmanager, Xftp and Xlpd.

Kaspersky discovered a backdoor in these tools after one of its customers in the financial sector noticed suspicious DNS requests coming from a NetSarang software package. An investigation conducted by the vendor revealed that the latest versions of Xmanager Enterprise 5 (build 1232), Xmanager 5 (build 1045), Xshell 5 (build 1322), Xftp 5 (build 1218) and Xlpd 5 (build 1220) had been compromised.

Security experts believe the attackers either modified source code or patched the software on NetSarang’s build servers after gaining access to the company’s systems. The affected builds were released on July 18 and the backdoor was only discovered on August 4.

NetSarang’s products are used by hundreds of financial, software, media, energy, electronics, insurance, industrial, construction, manufacturing, retail, telecoms, pharmaceutical and transportation companies. However, Kaspersky has only seen the malicious payload being activated on the systems of a company in Hong Kong.

Kaspersky says the malware could be lying dormant on the networks of other organizations, but NetSarang said it alerted the antivirus industry so security products may have already neutralized the malicious files.

The malware, detected by Kaspersky as Backdoor.Win32.ShadowPad.a, communicates with its command and control (C&C) server via DNS queries sent once every eight hours. The requests contain information on the infected machine, including user name, domain name and host name.

If the infected system is of interest to the attackers, they activate a fully fledged backdoor that they can use to download and execute other malware.

“If the backdoor were activated, the attacker would be able to upload files, create processes, and store information in a VFS [virtual file system] contained within the victim’s registry. The VFS and any additional files created by the code are encrypted and stored in locations unique to each victim,” researchers explained.

Kaspersky said the threat group behind this attack was careful not to leave too much evidence, but researchers did find some links to PlugX and Winnti, malware believed to have been developed by Chinese-speaking actors.

The security firm has provided indicators of compromise (IoC) to help organizations detect these attacks. NetSarang has also published a security alert to inform customers of the steps that need to be taken to address the issue.

Last month, NetSarang informed customers that it had released an update for Xshell after documents published by WikiLeaks revealed that the tool had been targeted by the CIA’s BothanSpy malware.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.