Advanced malware found in software used in more than 100 banks
Powerful backdoor dubbed ShadowPad' was added to five servers through products sold by NetSarang.
A powerful backdoor dubbed ‘ShadowPad’ planted in a server management software product used by hundreds of large businesses worldwide has been discovered by researchers at Kaspersky Lab. It was found that when activated, the backdoor allowed attackers to download malicious modules and steal data. Kaspersky Lab has alerted NetSarang, the affected software vendor, and as a result, the company removed the malicious code and released an update for its customers. ShadowPad is one of the largest known supply-chain attacks, and had the threat not been detected and patched quickly, it could have potentially targeted hundreds of organisations worldwide, stated Kaspersky Lab.
As reported by ArsTechnica, the affected products, including NetSarang’s Xmanager Enterprise 5.0, Xmanager 5.0, Xshell 5.0, Xftp 5.0, and Xlpd 5.0, were available between July 17th and August 4th. Kaspersky Lab’s Global Research and Analysis Team (GReAT) was approached by a financial institution with regards to a suspicious DNS (domain name server) request that originated on a system that involved financial transactions. After investigating further, it was discovered that the vendor did not mean for the software to make these requests. Later, the researchers found that the suspicious requests were a result of the activity of a malicious module hidden inside a recent version of the legitimate software.
The malicious module – after being downloaded in servers – would essentially send DNS-queries, consisting of basic information about the victim’s system (user name, domain name, host name) to specific domains every eight hours. If the attackers felt that the system was benefiting their personal interests, the command server would reply and subsequently activate a fully-fledged backdoor platform, which would download and execute the malicious code. Kaspersky Lab was quick to inform NetSarang regarding this, following which; the company released an updated version of the software without the malicious code. “To combat the ever-changing landscape of cyberattacks, NetSarang has incorporated various methods and measures to prevent out line of products from being compromised, infected or utilised by cyberespionage groups. Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator,” the company said in a statement. “NetSarang is committed to its users’ privacy and has incorporated a more robust system to ensure that never again will a compromised product be delivered to its users,” they added.
According to the Kaspersky Lab research, the malicious module has been activated in Hong Kong so far. But it is believed that many other systems worldwide have been affected by it. Users are required to install the updated version of the affected software, in order to safeguard their systems against the cyberattack. “ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component,” said Igor Soumenkov, security expert, Global Research and Analysis Team, Kaspersky Lab.