ShadowPad: Backdoor in enterprise server software exposed

Rodiano Bonacci
Agosto 16, 2017

The hacked software was available for download until August 4.

ShadowPad can be "silently" deployed within targets' computers and when activated, can allow hackers to steal data.

Kaspersky says they discovered the ShadowPad malware while working with a financial institution on an investigation into a number of suspicious DNS requests.

"The most worrying finding was the fact that the vendor did not mean for the software to make these requests", Kaspersky said.

This discovery has led researchers to believe that attackers either took the company's legitimate apps and patched the software to add the backdoor trojan, or they managed to breach NetSarang's software build servers, where they added the backdoor to the source code itself and generated new app builds.

Once every eight hours, the embedded malware in the NetSarang software would call out to specific domains with information about the system (username, domain, host, etc.). After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code.

The backdoor trojan communicated with the attackers' command and control servers via DNS requests. The ShadowPad backdoor has already been activated by hackers against an unspecified firm in Hong Kong. However Kaspersky Lab researchers are now urging firms using NetSarang's software to update their software.

"ShadowPad is an example of how risky and wide-scale a successful supply-chain attack can be". Luckily NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data stealing attacks against its clients.

Kaspersky's analysis showed the encrypted malware had been injected into a dynamic link library file used by the NetSarang software.

"Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator. NetSarang will continue to evaluate and improve our security not only to combat the efforts of cyberespionage groups around the world but also in order to regain the trust of its loyal user base".

"The security of our customers and user base is our highest priority and ultimately, our responsibility".

Kaspersky also warned that Shadow Pad "could be lying dormant on many other systems worldwide, especially if the users have not installed the updated version of the affected software".

Although it is not yet known how the attackers gained access to NetSarang's systems to plant the malicious code, Kaspersky noted that it was signed with a legitimate certificate from the software developer.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE