Home > Cyber News > NetSarang Apps Riddled with ShadowPad Backdoor

NetSarang Apps Riddled with ShadowPad Backdoor

ShadowPad Backdoor image

Security researchers discovered that many connectivity products made by NetSarang are infected with the ShadowPad backdoor. This was done in a hacker attack which allowed the criminals to intrude into the company’s servers and place malicious installers in the place of the legitimate files.

Related Story: Internal Networks Affected By Self-Propagating Emotet Trojan

NetSarang Products Infected With The ShadowPad Backdoor

NetSarang, one of the well-known software developers of connectivity solutions, has been found to feature dangerous malware-infected installers of their products. The security incident was reported by a cybersecurity company that made the analysis after carefully reviewing the applications downloaded from their official site. The discovery was made after one of the vendor’s customers noticed a suspicious DNS request coming from an installed software package on their own network. The investigation reveals that several products made by the company have been compromised: Xmanager Enterprise 5 (build 1232), Xmanager 5 (build 1045), Xshell 5 (build 1322), Xftp 5 (build 1218) and Xlpd 5 (build 1220).

The security experts and the investigators believe that the criminals behind the infections have been able to access the download servers and modify the source code of the build services or replace the installers with their own versions. The malicious files were released on July 18 while the discovery was made several weeks later on August 4. Kaspersky Labs reveal that the malware was activated only on systems owned by a company in Hong Kong suggesting that the virus code can be used against targets only. It is possible that other companies have been affected by the malware as well. Fortunately as the anti-virus companies are now alerted of the threat it is easy to remove both active and dormant infections.

Related Story: Large-Scale Mamba Ransomware Attacks on the Rise Again

Impact of the ShadowPad Backdoor

The ShadowPad backdoor is a modular malware that is designed to infect the victims in two stages:

  1. The first stage embeds the shellcode into a legitimate process called “nssock2.dll”. This initiates the network connection to the hacker-controlled C&C servers. Durign this stage sensitive information is gathered from the victim computer and is relayed to the criminals.
  2. The next step is to engage the built-in ShadowPad backdoor engine. The collected samples have the ability to activate five different modules that feature a modular architecture. This means that it is possible to load additional plugins if required.

All network connections are encrypted using a private key which make it very hard for administrators to discover infections on their networks. As this is a sophisticated backdoor it allows the criminals to perform several malicious actions on the compromised machines:

  • Information Harvesting ‒ By request the hackers can initiate a data harvesting process that is able to download a list of all hardware components, software configuration files or user data. This includes the following: data and time, memory status, CPU frequency, free disk space, video mode, system regional settings, PID of processes, operating system version, usernames and domain name.
  • DNS Module ‒ ShadowPad backdoor is able to communicate with the C&C servers using the DNS protocol.
  • Data Hijacking ‒ The ShadowPad backdoor is able to steal sensitive user files from the compromised machines. When private data is hijacked from the victims the supplied information can be used for criminal purposes like financial abuse or identity theft.
  • Virus Infections ‒ The backdoor can be used as a payload dropper for other threats. Infections with it can lead to dangerous infections.
  • Network Propagation ‒ The remote control capabilities allow the hackers to infect other hosts located on the same network by exploiting found weaknesses.

As a result the backdoor allows the hackers to upload malware files to the compromised clients and bind them to running processes or new threads. This all can be done in a VFS (virtual file system) that is contained in the Windows registry. Thanks to the encryption module the malware actions cannot be effectively discovered by most anti-virus utilities. This is the reason why we recommend the use of a quality anti-spyware product which is able to effectively detect incoming samples and delete active infections with a few mouse clicks.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree