Attackers secretly modified at least five software packages distributed by network connectivity and server management solutions provider NetSarang in order to infect its business users with modular backdoor spyware, Kaspersky Lab reported on Tuesday via its Securelist blog.
The malicious files, dubbed ShadowPad, deliver an encrypted payload capable of remotely downloading and executing arbitrary code, uploading files, creating processes, and storing data in a virtual file system contained within the victim’s registry, the blog post warns.
Kaspersky first learned of the threat after a financial institution partner noticed suspicious DNS requests in its network, which originated from systems involved in financial transactions. Kaspersky analysts later traced this activity to a NetSarang software package – one of several to be affected.
Impacted packages include Xmanager Enterprise 5 Build 1232, Xmanager 5 Build 1045, Xshell 5 Build 1322, Xftp 5 Build 1218, and Xlpd 5 Build 1220. Kaspersky suspects that the culprits “either modified source codes or patched software on the build servers,” in order to embed shellcode into “nssock2.dll,” one of the code libraries used by the software.
NetSarang software is found on servers and workstations used by companies across a wide range of business sectors, any of which could be a potential target. Kaspersky has already confirmed an activated payload in a Hong Kong-based company, but did not name the affected business.
After being informed of the sabotage, NetSarang removed the malicious files and updated its software earlier this month. Kaspersky believes the files were first altered around July 13, which is the compilation date of the earliest known ShadowPad sample. The tainted software would be released just days later.
“Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator,” acknowledged NetSarang in a Kaspersky press release issued yesterday.
NetSarang followed up on its release with a statement issued to SC Media: “We’ve exhausted all avenues of communication to our users regarding this issue and have urged all users to update their software immediately. Emails have been sent out and if the customer is connected to the Internet and has opted to periodically have the software check for updates, they’ve been notified through the software itself. As the security of our user base is our highest priority, we’ve pushed the update to all users, including those using pirated copies of our software.”
The software company also said that in response to the incident, it has incorporated “additional security protocols and checks” to ensure that future releases don’t suffer the same fate. Moreover, it has decided to abandon its network infrastructure as a result of the compromise.
“Over the course of several weeks, we’ll be migrating to an entirely new and separate network infrastructure where each device is wiped, examined, verified, and whitelisted,” NetSarang said in its statement. “Each whitelisted device will then be placed into our new network infrastructure one-by-one. ensuring we’re operating with a clean slate.”
According to Securelist, the sabotaged ShadowPad files work in two distinct stages, leveraging a tiered architecture that stops the backdoor from activating until a designated command-and-control server sends a specially crafted DNS TXT record for a specific domain. The attackers implemented a domain generation algorithm for these C&C servers, whose domains were registered from July through December.
Once the payload is activated, the module exchanges data with the server, which sends backs a decryption key for the next stage of the code. A separate technical analysis published by Kaspersky explains that the second stage effectively executes the backdoor by acting “as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, [and] loading and injecting additional plugins into the memory of other processes,” allowing for data exfiltration.
Although the perpetrators were careful not to leave traces of their activity, analysis did find one clue that could potentially assist early attribution efforts: some of the techniques employed in this attack were also used to spread the PlugX remote access tool and Winnti backdoor programs, which were allegedly developed by Chinese-speaking authors.