Backdoor Found in Popular Server Management Software used by Hundreds of Companies

Recently a lot of Black hat hackers have managed to intrude into a popular Server Management software package through the update mechanism and have managed to include an advance back-door, which has a life line of 17 days before the researchers have realized and discovered it . The back-door name given to the back-door is called Shadow-Pad, this secret back-door can give the attackers a complete control over the network and this has given them the access to a network that is being hidden through a cryptographically signed software that is distributed by NetSarang. This software is is being used by multiple organization such as banks,media companies, telecommunication providers, logistics and transport , and many more

Warning to be taken into account

if you are using of the affected product (below), we highly recommend you to take an immediate alternation until a patch is found and updated

Black hat-Hackers inject Back-door by using the Software Update Mechanism

Kaspersky Labs, have discovered this well-hidden back-door, by being able to capture the NetSarang's update mechanism which was a victim of a silent back-door insertion in the software update, which would then silently deliver a malicious code to all of the NetSarang's user who use legitimate signed certificate.

This mechanism was also used by the Petya/NotPetya ransomware which occurred in June later this year but they have used it on a Ukrainian Financial software provider who is known by the name MeDoc.

The location of the back-door is in nssock2.dll library in NetSarang's X manager and X shell software suite which was established live on the 18th of July by NetSarang on their website.

When the researchers for kaspersky labs made the discovery they summited and private report to the company on august 4 and as an immediate action they company pulled down the compromised software and made a solution by replacing and clean and previous version.

The affected software in NetSagarang's
Xmanager Enterprise 5.0 Build 1232
Xmanager 5.0 Build 1045
Xshell 5.0 Build 1322
Xftp 5.0 Build 1218
Xlpd 5.0 Build 1220

Commands that can be Remotely Triggered

ShadowPad code is hidden into several layers of encrypted code which could be decrypted only of intended to.If this decryption is not performed it will be pinging for every 8 hours to a command-control server with the details of the compromised system which contains User-name,Domain-name and Network details.

How the Back-door is being activated

The back-door is triggered by DNS TXT which is crafted specially to record domain name which generate a domain name based on the current month and year which is the performed a DNS lookup on the domain. When the back-door is being triggered the command-control server send a decryption key which is then downloaded by the software which will then move on to the next stage which i make the back-door active effectively .

How to detect this Back-door and protect your company

As i have previously mentioned that the company has given a solution by replacing it with a clean and stable version. And anyone who as not made this changes please do it. Please make sure that there were no DNS request were made from your organization if so please block the following domains.

ribotqtonut[.]com
nylalobghyhirgh[.]com
jkvmdmjyfcvkf[.]com
batyvoruzgjitwr[.]com
xmponmzmxkxkh[.]com
tczafklirkl[.]com
notped[.]com
dnsgogle[.]com
operatingbox[.]com
paniesx[.]com
techniciantext[.]com

The final solution use NetSarang installation kits from April which does not contain malicious library.