Advanced ShadowPad malware lurked in digitally signed products sold by NetSarang.

For 17 days starting last month, an advanced backdoor that gave attackers complete control over networks lurked in digitally signed software used by hundreds of banks, energy companies, and pharmaceutical manufacturers, researchers warned Tuesday.

The backdoor, dubbed ShadowPad, was added to five server- or network-management products sold by NetSarang, a software developer with offices in South Korea and the US. The malicious products were available from July 17 to August 4, when the backdoor was discovered and privately reported by researchers from antivirus provider Kaspersky Lab. Anyone who uses the five NetSarang titles Xmanager Enterprise 5.0, Xmanager 5.0, Xshell 5.0, Xftp 5.0, or Xlpd 5.0, should immediately review posts here and here from NetSarang and Kaspersky Lab respectively.

Covert data collection

The attack is the latest to manipulate the supply chain of a legitimate product in hopes of infecting the people who rely on it. The NotPetya worm that shut down computers around the world in June used the same tactic after attackers hijacked the update mechanism for tax software that was widely used in Ukraine. Supply-chain attacks that targeted online gamers included one used to spread the PlugX trojan in 2015 and the malware dubbed WinNTi in 2013.
"Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components," Kaspersky Lab researchers wrote in their blog post. "Luckily, NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data-stealing attacks against their clients."

The backdoor code was located in a version of the file nssock2.dll that went live on the NetSarang website on July 17. The malicious file was signed with NetSarang's legitimate certificate, and it remained undetected until Kaspersky Lab researchers privately notified NetSarang officials of the tampering. In a statement, company officials wrote:

It has been confirmed that NetSarang's infrastructure was compromised. We've created a completely new and separate infrastructure and have wiped every single device which will be placed into this new infrastructure. Each device is then examined, white-listed, and then placed into the new infrastructure one-by-one. This process will take several weeks, but we need to ensure that a compromise such as this is never again possible at NetSarang. Our users' security is our highest priority.

The malicious NetSarang products contained an advanced design that made it hard to detect on infected networks. It was made up of several layers of encrypted code that were decrypted only in select cases. A tiered control-server system prevented the main functions of the malicious module from being activated unless the server sent the compromised machine a special packet. Until then, compromised machines sent only basic information, including their domain and user names, every eight hours. The activation was ultimately triggered by a specially designed domain name system TXT record for a specific domain name. The domain changed based on the current month and year.

Kaspersky Lab researchers continued:

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor. The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable Latin characters. Each packet also contains an encrypted "magic" DWORD value "52 4F 4F 44" ('DOOR' if read as a little-endian value).
Our analysis indicates the embedded code acts as a modular backdoor platform. It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim. The remote access capability includes a domain generation algorithm (DGA) for C&C servers which changes every month. The attackers behind this malware have already registered the domains covering July to December 2017, which indirectly confirms alleged start date of the attack as around mid July 2017.

The researchers said they discovered the backdoor after a Kaspersky Lab partner in the financial industry observed a computer used to perform transactions was making suspicious domain name lookup requests. The resulting investigation ultimately uncovered the malicious module that was added to the NetSarang products. So far, Kaspersky is aware of the backdoor being activated in one case, against an unnamed company located in Hong Kong.

Anyone who has updated their NetSarang software since August 4 should automatically be protected against this threat. Infections can also be detected using antivirus products from Kaspersky Lab and, presumably, from almost all its competitors. Out of an abundance of caution, all users of the affected software should take time to review their computers and network logs for signs they were infected. Kaspersky Lab's blog post contains indicators of compromise.

It's not clear who created the backdoor or precisely how they compromised NetSarang. Several characteristics of the attack are similar to those used in the previously mentioned PlugX and WinNTi campaigns, which researchers have determined were carried out by Chinese-speaking groups. ShadowPad, for instance, uses the domain notped[.]com for some of its command and control functions. The same domain was used earlier in attacks that spread PlugX, Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars.

Supply-chain attacks are alarming because they can infect people who do nothing more than install security updates for digitally signed pieces of software they have been using for years. The ShadowPad incident underscores the value of closely scrutinizing network behavior and collaborating with partners to investigate suspicious or unexplained items.