[SingCERT] ShadowPad Backdoor Spreads in Corporate Networks Through Software Update Mechanism

Published on Friday, 25 August 2017 20:09


On 15 August 2017, Kaspersky Labs reported that they had discovered suspicious DNS requests in a partner's network. Further investigation showed that the source of the suspicious DNS queries was from a software package produced by NetSarang. Kaspersky Labs named the threat ShadowPad. SingCERT understands that the attacks occurred in Hong Kong, but the ShadowPad backdoor could be dormant in many other systems worldwide, if users have not updated to the latest version of the affected software.

ShadowPad is a backdoor platform with the capability of collecting system information, downloading and execution of arbitrary code, maintaining a virtual file system in the registry, and communicating DNS requests. ShadowPad is one of the largest known supply-chain attacks. Had ShadowPad not been detected and patched so quickly, it could have impacted hundreds of organisations worldwide.

Affected Builds

  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220

A file (nssock2.dll) in the recent versions of software produced by NetSarang was secretly modified to include an encrypted payload that could be exploited remotely.

Before an attacker triggers the backdoor, it can only collect basic information, such as computer domain and user names at every 8-hour interval. Activation of the backdoor can be triggered via a crafted DNS TXT record for a specific domain name through a command-and-control server. When activated, the backdoor allows attackers to download and execute further malicious code or steal data.


For End-users
Refrain from using the software of affected builds stated above. Users can update their software by going to Help > Check for Updates. Or visit the NetSarang website: https://www.netsarang.com/download/software.html.

For Network/System Administrators
Network/System Administrators are advised to block DNS queries to the C2 domains listed below:

  • ribotqtonut[.]com
  • nylalobghyhirgh[.]com        
  • jkvmdmjyfcvkf[.]com        
  • bafyvoruzgjitwr[.]com        
  • xmponmzmxkxkh[.]com        
  • tczafklirkl[.]com        
  • notped[.]com        
  • dnsgogle[.]com        
  • operatingbox[.]com        
  • paniesx[.]com        
  • techniciantext[.]com

Users and administrators may refer to the link below for a Netsarang backdoor DNS payload decryption tool: https://gist.github.com/fox-srt/70874791ff45475bdec92f519345d663