Categories: Backdoor

Popular Server Management Software Infected with Encrypted Payload That Could be Remotely Activate Backdoor

Very Popular Server Management Software XMANAGER5 owned by NetSarang flowing with Backdoor that was injected as Encrypted Payload  By Cyber Criminals.

Encrypted payload Discovered with the name of Backdoor.Win32.ShadowPad.a  by Kaspersky Researchers and mainly initiated its activity for the successful supply-chain attack.

This Server used by used in hundreds of critical networks including telecommunication, transportation, and Banks for Secure file transfer Client, and maintain the server management activities.

This  Backdoor was found and Embedded With code libraries called nssock2.dll  that are used by this Software.

nssock2.dll Embedded  library

According to Kaspersky, Attacker origin might be China which is Predicted by same attack were used in another malware like PlugX and Winnti.

Also Read :Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

How Does Backdoor Work

To Evade the Detection, This Backdoor has been used with several layers of Encryption Process with the payload.

layers of Encryption

ShadowPad Backdoor will be Activated only when it received a special packet from Command & Control Server.

Before Received a Special Command it has an ability to Transfer only basic information such as computer, domain and user names and every 8 hours it uses to send this information.

Activation of the payload will be triggered by Special Domain called “nylalobghyhirgh.com” via specially crafted DNS TXT record.

The Backdoor will be Triggered by the first layer of C&C servers, later Backdoor will be Activated by the second Layer.

Layer of Processing by C2 server

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor,Kaspersky Said.

Communication Between the Module and C&C server will be fully encrypted  by proprietary algorithm and Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44”

Embedded Code Download and execute arbitrary code which is Provided by C&C Server and also it acts as a Modular Backdoor Platform.

This Backdoor also maintain a virtual file system (VFS) inside the registry that is encrypted and stored in a location unique to each victim.

Remote Access capabilities algorithm and Domains for C&C Severs keep changing each and every Month by the Group or individual behind of this Malware.

Kaspersky Conforms that, This Backdoor has been Activated  successfully in a company in Hong Kong.

Follow Domains are indicated the DNS Request for the Backdoor.

  • ribotqtonut[.]com
  • nylalobghyhirgh[.]com
  • jkvmdmjyfcvkf[.]com
  • bafyvoruzgjitwr[.]com
  • xmponmzmxkxkh[.]com
  • tczafklirkl[.]com
  • notped[.]com
  • dnsgogle[.]com
  • operatingbox[.]com
  • paniesx[.]com
  • techniciantext[.]com

All malicious files were removed from NetSarang website After Kaspersky reported to NetSarang.

Image Credits : Kaspersky

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

View Comments

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

11 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

11 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

14 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

17 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

18 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

18 hours ago