Backdoor injected into NetSarang systems management software

By on
Backdoor injected into NetSarang systems management software

Firm suffers supply-chain attack.

Attackers have inserted a backdoor into the NetSarang network and server management software platform, potentially compromising hundreds of companies.

The vendor acknowledged the July 13 compromise after being alerted to the attack by security firm Kaspersky.

The hacked software was available for download until August 4. Kaspersky spotted it when one of its Hong Kong financial institution customers' systems sent out a suspicious domain name system request that was traced back to the malware.

NetSarang software is distributed worldwide including in Australia, and is used by energy, financial and pharmaceutical companies.

The affected NetSarang software packages and version numbers are:

  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220

Users are advised to update their software as soon as possible. Antiviruses detect the backdoor and may quarantine the affected file, leaving the hacked software inoperable, NetSarang said.

Kaspersky's analysis showed the encrypted malware had been injected into a dynamic link library file used by the NetSarang software.

The payload, which Kaspersky termed ShadowPad, is activated via a specially crafted DNS TXT record for a domain name that is generated from the month and year it takes place.

"If the backdoor were activated, the attacker would be able to upload files, create processes, and store information in a VFS [virtual file system] contained within the victim’s registry," Kaspersky said.

"The VFS and any additional files created by the code are encrypted and stored in locations unique to each victim."

Although it is not yet known how the attackers gained access to NetSarang's systems to plant the malicious code, Kaspersky noted that it was signed with a legitimate certificate from the software developer.

A similar supply side attack was used to compromise servers belonging to Ukrainian financial software firm MeDoc to inject the destructive Petya/NotPetya malware earlier this year.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.
In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?