Kaspersky discovers supply-chain attack at NetSarang

While investigating suspicious DNS requests for a financial institution, researchers at Kaspersky discovered backdoor in recently updated copies of software released by NetSarang, a developer of management tools for servers and clients.

Kaspersky linked the backdoor to the ShadowPad family of malware, and alerted the software firm, who then pulled the hijacked releases and alerted customers.

Kaspersky says they discovered the ShadowPad malware while working with a financial institution on an investigation into a number of suspicious DNS requests.

Once every eight hours, the embedded malware in the NetSarang software would call out to specific domains with information about the system (username, domain, host, etc.). The domains used will change monthly, and Kaspersky says that domains have been registered to cover July though December, 2017.

If the data sent during the DNS request is interesting, the Command and Control (C&C) servers will respond and activate the backdoor, enabling additional downloads of malicious software.

“Currently, we can confirm activated payload in a company in Hong Kong. Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software,” Kaspersky wrote in a brief on Securelist.

As long as NetSarang customers are using the compromised software versions, they are vulnerable.

“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component,” said Igor Soumenkov, security expert, Global Research and Analysis Team, Kaspersky Lab.

In a statement, NetSarang confirmed Kaspersky’s findings and encouraged customers to update as soon as possible.

“Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator. The security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.

“NetSarang is committed to its users’ privacy and has incorporated a more robust system to ensure that never again will a compromised product be delivered to its users. NetSarang will continue to evaluate and improve our security not only to combat the efforts of cyberespionage groups around the world but also in order to regain the trust of its loyal user base.”

ShadowPad was discovered in NSSOCK2.DLL, and communications with the C&C servers happen like clockwork, affording administrators a chance to check their existing logs for previous connections.

It isn’t clear how the attackers compromised NetSarang and were able to add malware to their code. That investigation is ongoing, Kaspersky says. Likewise, it isn’t clear who was actually responsible for the attack itself.

“Attribution is hard and the attackers were very careful to not leave obvious traces. However certain techniques were known to be used in another malware like PlugX and Winnti, which were allegedly developed by Chinese-speaking actors,” Kaspersky said.

Impacted Software:

• Xmanager Enterprise 5 Build 1232
• Xmanager 5 Build 1045
• Xshell 5 Build 1322
• Xftp 5 Build 1218
• Xlpd 5 Build 1220

The DNS requests were sent to the following domains:

• ribotqtonut.com
• nylalobghyhirgh.com
• jkvmdmjyfcvkf.com
• bafyvoruzgjitwr.com
• xmponmzmxkxkh.com
• tczafklirkl.com
• notped.com
• dnsgogle.com
• operatingbox.com
• paniesx.com
• techniciantext.com