Backdoor in software used by large IT companies and not only

Kaspersky Lab employees have once again demonstrated what they can do. They discovered in one of the modules (nssock2.dll) NetSarang software a deliberately programmed vulnerability that gave attackers full control over computers, terminals and servers.

The Backdoor called ShadowPad, like the NotPetya ransomware discovered in Ukraine, went to NetSarang software clients' computers by updating - similarly to the MEDoc application used by Ukrainian companies, the malicious update to NetSarang was delivered the same way - someone attacked NetSarang servers and replaced digitally signed update files. Backdoor was discovered after experts looked at suspicious domain name search requests. The incident was reported by one of the Kaspersky Lab customers from the financial sector.


DLL library containing the backdoor in the Xshell 5 software.

Backdoor provided an insight into the directory structure and files of infected systems for 17 days - from July 17 to August 4. NetSarang software created by programmers from the USA and South Korea gave the attackers full control: it was possible to run any code provided from the criminals' server. Backdoor, to make its detection more difficult, used the virtual file system in the registry (VFS).

Products: NetSarang Xmanager Enterprise 5.0, Xmanager 5.0, Xshell 5.0, Xftp 5.0 and Xlpd 5.0 have become part of the malicious supply chain of infected software to the computers of hundreds of banks, energy companies and drug manufacturers. The NetSarang software developer confirms that their infrastructure has been attacked and everything necessary was done to remedy similar incidents in the future.

In the attack using the ShadowPad backdoor, as with NotPety, the same tactics were used - taking control over the software update mechanism.

The manufacturer of the NetSarang toolkit for submitting Kaspersky Lab employees has issued an update to prevent similar attacks.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.