Wednesday, April 17, 2024

Popular Server Management Software Infected with Encrypted Payload That Could be Remotely Activate Backdoor

Very Popular Server Management Software XMANAGER5 owned by NetSarang flowing with Backdoor that was injected as Encrypted Payload  By Cyber Criminals.

Encrypted payload Discovered with the name of Backdoor.Win32.ShadowPad.a  by Kaspersky Researchers and mainly initiated its activity for the successful supply-chain attack.

This Server used by used in hundreds of critical networks including telecommunication, transportation, and Banks for Secure file transfer Client, and maintain the server management activities.

This  Backdoor was found and Embedded With code libraries called nssock2.dll  that are used by this Software.


nssock2.dll Embedded  library

According to Kaspersky, Attacker origin might be China which is Predicted by same attack were used in another malware like PlugX and Winnti.

Also Read :Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

How Does Backdoor Work 

To Evade the Detection, This Backdoor has been used with several layers of Encryption Process with the payload.


layers of Encryption

ShadowPad Backdoor will be Activated only when it received a special packet from Command & Control Server.

Before Received a Special Command it has an ability to Transfer only basic information such as computer, domain and user names and every 8 hours it uses to send this information.

Activation of the payload will be triggered by Special Domain called “” via specially crafted DNS TXT record.

The Backdoor will be Triggered by the first layer of C&C servers, later Backdoor will be Activated by the second Layer.


Layer of Processing by C2 server

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor,Kaspersky Said.

Communication Between the Module and C&C server will be fully encrypted  by proprietary algorithm and Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44”

Embedded Code Download and execute arbitrary code which is Provided by C&C Server and also it acts as a Modular Backdoor Platform.

This Backdoor also maintain a virtual file system (VFS) inside the registry that is encrypted and stored in a location unique to each victim.

Remote Access capabilities algorithm and Domains for C&C Severs keep changing each and every Month by the Group or individual behind of this Malware.

Kaspersky Conforms that, This Backdoor has been Activated  successfully in a company in Hong Kong.

Follow Domains are indicated the DNS Request for the Backdoor.

  • ribotqtonut[.]com
  • nylalobghyhirgh[.]com
  • jkvmdmjyfcvkf[.]com
  • bafyvoruzgjitwr[.]com
  • xmponmzmxkxkh[.]com
  • tczafklirkl[.]com
  • notped[.]com
  • dnsgogle[.]com
  • operatingbox[.]com
  • paniesx[.]com
  • techniciantext[.]com

All malicious files were removed from NetSarang website After Kaspersky reported to NetSarang.

Image Credits : Kaspersky


Latest articles

LightSpy Hackers Target Indian Apple Device Users To Steal Sensitive Data

Hackers target Apple device users because they are perceived to be of higher social...

Trustifi’s Email Security Awareness Training – Empowering MSPs to Train & Protect Clients

In today's digital landscape, email security has become a critical concern for businesses of...

Personal Data Exposed in Massive Global Hack: Understanding the Implications & Guarding Privacy- Axios Security Group

In a digital age where information is the new currency, the recent global hack...

Ex-Security Engineer Jailed For Hacking Decentralized Cryptocurrency Exchanges

Ahmed exploited a vulnerability in a decentralized cryptocurrency exchange's smart contract by injecting fabricated...

Omni Hotels & Resorts Hack: Attackers have Stolen Customer Information

Omni Hotels & Resorts has revealed that it was the target of a recent...

Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.Dubbed...

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles