Attackers infiltrated the update mechanism for a popular server management software package as recently as last month and modified it to include a backdoor.
NetSarang, which has headquarters in South Korea and the United States, has removed the backdoored update, but not before it was activated on at least one victim’s machine in Hong Kong. Some of its customers include large enterprises operating in a number of industries, including financial services, energy, retail, technology, media and more.
Researchers at Kaspersky Lab today said they privately disclosed this issue to the provider in July after finding suspicious DNS requests on a customer’s network in the financial services space. The requests were found on systems used to process transactions, Kaspersky Lab said.
An investigation into the DNS queries led them to NetSarang, which quickly swapped out the malicious library in its update package with a clean one, Kaspersky Lab said in a report published today on Securelist. The backdoor was embedded in a code library called nssock2.dll used by the software.
“To combat the ever-changing landscape of cyberattacks NetSarang has incorporated various methods and measures to prevent our line of products from being compromised, infected, or utilized by cyberespionage groups. Regretfully, the Build release of our full line of products on July 18th, 2017 was unknowingly shipped with a backdoor which had the potential to be exploited by its creator,” said NetSarang in a statement. “The security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”
The attack is just the latest where nation-state actors, or cybercriminals, have infiltrated a software supply chain provider and infected a trusted update mechanism. The source of the ExPetr/Not Petya wiper malware attacks, for example, was linked to a Ukrainian financial software provider called MeDoc. Attackers compromised its update mechanism and swapped in a phony update that included NotPetya, which was originally believed to be a ransomware attack similar to WannaCry.
“The attackers hid their malicious intent in several layers of encrypted code,” researchers said. “The tiered architecture prevents the actual business logic of the backdoor from being activated until a special packet is received from the first tier C&C server (‘activation C&C server’). Until then, it only transfers basic information including the computer, domain and user names every eight hours.”
The payload would only be activated through a crafted DNS TXT record for a specific domain, the researchers said. This allows the attackers to glean system information, and the attacker’s server then sends a decryption key that unlocks the next stage of the attack, activating the backdoor.
Kaspersky Lab said the backdoor, called ShadowPad, is a modular platform that can be used to download and execute arbitrary code, create processes, and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim. The researchers said they can confirm activated payloads in the Asia Pacific region.
“Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software,” Kaspersky Lab said.
Affected versions of NetSarang containing the malicious nssock2.dll are Xmanager Enterprise 5 Build 1232, Xmanager 5 Build 1045, Xshell 5 Build 1322, Xftp 5 Build 1218 and Xlpd 5 Build 1220. Kaspersky Lab said the first compile date it’s aware of for the backdoor is Jul 13, and that the file is signed with a legitimate NetSarang certificate. Installation kits from April do not include the malicious library, the researchers said.
The researchers also published a list of domains to which the DNS requests beaconed out, and any requests to those domains should be blocked, they said.