Popular Server Management Software Infected with Encrypted Payload That Could be Remotely Activate Backdoor

Very Popular Server Management Software XMANAGER5 owned by NetSarang flowing with Backdoor that was injected as Encrypted Payload  By Cyber Criminals.

Encrypted payload Discovered with the name of Backdoor.Win32.ShadowPad.a  by Kaspersky Researchers and mainly initiated its activity for the successful supply-chain attack.

This Server used by used in hundreds of critical networks including telecommunication, transportation, and Banks for Secure file transfer Client, and maintain the server management activities.

This  Backdoor was found and Embedded With code libraries called nssock2.dll  that are used by this Software.

nssock2.dll Embedded  library

According to Kaspersky, Attacker origin might be China which is Predicted by same attack were used in another malware like PlugX and Winnti.

Also Read :Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

How Does Backdoor Work

To Evade the Detection, This Backdoor has been used with several layers of Encryption Process with the payload.

layers of Encryption

ShadowPad Backdoor will be Activated only when it received a special packet from Command & Control Server.

Before Received a Special Command it has an ability to Transfer only basic information such as computer, domain and user names and every 8 hours it uses to send this information.

Activation of the payload will be triggered by Special Domain called “nylalobghyhirgh.com” via specially crafted DNS TXT record.

The Backdoor will be Triggered by the first layer of C&C servers, later Backdoor will be Activated by the second Layer.

Layer of Processing by C2 server

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor,Kaspersky Said.

Communication Between the Module and C&C server will be fully encrypted  by proprietary algorithm and Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44”

Embedded Code Download and execute arbitrary code which is Provided by C&C Server and also it acts as a Modular Backdoor Platform.

This Backdoor also maintain a virtual file system (VFS) inside the registry that is encrypted and stored in a location unique to each victim.

Remote Access capabilities algorithm and Domains for C&C Severs keep changing each and every Month by the Group or individual behind of this Malware.

Kaspersky Conforms that, This Backdoor has been Activated  successfully in a company in Hong Kong.

Follow Domains are indicated the DNS Request for the Backdoor.

• ribotqtonut[.]com
• nylalobghyhirgh[.]com
• jkvmdmjyfcvkf[.]com
• bafyvoruzgjitwr[.]com
• xmponmzmxkxkh[.]com
• tczafklirkl[.]com
• notped[.]com
• dnsgogle[.]com
• operatingbox[.]com
• paniesx[.]com
• techniciantext[.]com

All malicious files were removed from NetSarang website After Kaspersky reported to NetSarang.

Image Credits : Kaspersky