Security researchers have discovered a backdoor planted in connectivity tools made by NetSarang, to include popular products Xshell, Xmanager, Xftp and Xlpd.
The discovery was made by Kaspersky researchers after suspicious DNS requests appeared to be coming from NetSarang software.
The malicious activity was revealed by one of Kaspersky’s customers in the financial industry. Investigation by Kaspersky later confirmed that NetSarang software was compromised, SecurityWeek reports.
The malware also communicates to command and control (C&C) servers over DNS queries every eight hours.
Kaspersky identified the malware as ShadowPad, as described in a technical paper:
“ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to ‘validation’ command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.”