Hackers have compromised NetSarang, but they have removed the backdoored update. It is a large enterprise software that is being used in a number of industries including financial services, energy, retail, technology, media and much more.
Kaspersky Lab has informed NetSarang about the said issue last July after they found suspicious DNS request on a customer’s network in the financial services sector. The process was found to request/process transactions.
The attackers were able to do this by swapping out nssock2.dll library in its update package.
“To combat the ever-changing landscape of cyber-attacks NetSarang has incorporated various methods and measures to prevent our line of products from being compromised, infected, or utilized by cyberes-pionage groups. Regretfully, the Build release of our full line of products on July 18th, 2017 was unknowingly shipped with a backdoor which had the potential to be exploited by its creator,” said NetSarang in a statement. “The security of our customers and user base is our highest priority and ultimately, our responsibility. The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”
“The attackers hid their malicious intent in several layers of encrypted code,” Kaspersky researchers said. “The tiered architecture prevents the actual business logic of the backdoor from being activated until a special packet is received from the first tier C&C server (‘activation C&C server’). Until then, it only transfers basic information including the computer, domain and user names every eight hours.”
As newer malware technologies have emerged, the cyber-crooks have focused on trying to infiltrate trusted software update mechanisms from famous supply chain providers.
For example, the source of the ExPetr/Not Petya wiper malware attack was linked to a Ukrainian financial software provider called MeDoc. They were able to compromise the update mechanism and swapped it out with a fake update that was laced with the NotPetya malware.
This malware attack will not get triggered unless it gets a DNS text record from a specific domain. This allows the attackers to extract system information, and the attacker’s server then sends a decryption key that unlocks the next stage of the attack, activating the backdoor.
The backdoor dubbed ShadowPad is a modular platform that can be used to download and execute arbitrary code, create processes, and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim. The researchers said they can confirm activated payloads in the Asia Pacific region.
NetSarang is being utilized in hundreds of critical networks around the world particularly in servers and workstations that are being handled by system administrators worldwide. It is of utmost importance that the companies take immediate action to identify, contain and remove the compromised software in distribution.
The affected versions of NetSarang are the following: Xmanager Enterprise 5 Build 1232, Xmanager 5 Build 1045, Xshell 5 Build 1322, Xftp 5 Build 1218 and Xlpd 5 Build 1220.
Kaspersky Lab was able to document the first compromised nssock2.dll was Jul 13, and that the file is signed with a legitimate NetSarang certificate. However, installation software from April do not include the malicious library as per the Kaspersky researchers.
Kaspersky researchers also published a list of domains to which the DNS requests beaconed out, and any requests to those domains should be blocked, they said.