Security Experts:

Connect with us

Hi, what are you looking for?



Backdoors Found in Tools Used by Hundreds of Organizations

Many organizations around the world using connectivity tools from NetSarang are at risk after researchers at Kaspersky Lab discovered that malicious actors had planted a backdoor in several of the company’s products.

Many organizations around the world using connectivity tools from NetSarang are at risk after researchers at Kaspersky Lab discovered that malicious actors had planted a backdoor in several of the company’s products.

NetSarang, which has offices in the United States and South Korea, specializes in secure connectivity solutions. Some of its most popular products are Xshell, Xmanager, Xftp and Xlpd.

Kaspersky discovered a backdoor in these tools after one of its customers in the financial sector noticed suspicious DNS requests coming from a NetSarang software package. An investigation conducted by the vendor revealed that the latest versions of Xmanager Enterprise 5 (build 1232), Xmanager 5 (build 1045), Xshell 5 (build 1322), Xftp 5 (build 1218) and Xlpd 5 (build 1220) had been compromised.

Security experts believe the attackers either modified source code or patched the software on NetSarang’s build servers after gaining access to the company’s systems. The affected builds were released on July 18 and the backdoor was only discovered on August 4.

NetSarang’s products are used by hundreds of financial, software, media, energy, electronics, insurance, industrial, construction, manufacturing, retail, telecoms, pharmaceutical and transportation companies. However, Kaspersky has only seen the malicious payload being activated on the systems of a company in Hong Kong.

Kaspersky says the malware could be lying dormant on the networks of other organizations, but NetSarang said it alerted the antivirus industry so security products may have already neutralized the malicious files.

The malware, detected by Kaspersky as Backdoor.Win32.ShadowPad.a, communicates with its command and control (C&C) server via DNS queries sent once every eight hours. The requests contain information on the infected machine, including user name, domain name and host name.

If the infected system is of interest to the attackers, they activate a fully fledged backdoor that they can use to download and execute other malware.

“If the backdoor were activated, the attacker would be able to upload files, create processes, and store information in a VFS [virtual file system] contained within the victim’s registry. The VFS and any additional files created by the code are encrypted and stored in locations unique to each victim,” researchers explained.

Kaspersky said the threat group behind this attack was careful not to leave too much evidence, but researchers did find some links to PlugX and Winnti, malware believed to have been developed by Chinese-speaking actors.

The security firm has provided indicators of compromise (IoC) to help organizations detect these attacks. NetSarang has also published a security alert to inform customers of the steps that need to be taken to address the issue.

Last month, NetSarang informed customers that it had released an update for Xshell after documents published by WikiLeaks revealed that the tool had been targeted by the CIA’s BothanSpy malware.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.