Categories: Backdoor

Popular Server Management Software Infected with Encrypted Payload That Could be Remotely Activate Backdoor

Very Popular Server Management Software XMANAGER5 owned by NetSarang flowing with Backdoor that was injected as Encrypted Payload  By Cyber Criminals.

Encrypted payload Discovered with the name of Backdoor.Win32.ShadowPad.a  by Kaspersky Researchers and mainly initiated its activity for the successful supply-chain attack.

This Server used by used in hundreds of critical networks including telecommunication, transportation, and Banks for Secure file transfer Client, and maintain the server management activities.

This  Backdoor was found and Embedded With code libraries called nssock2.dll  that are used by this Software.

nssock2.dll Embedded  library

According to Kaspersky, Attacker origin might be China which is Predicted by same attack were used in another malware like PlugX and Winnti.

Also Read :Beware:Emails Delivering Backdoor and Injecting Malicious Scripts into Enterprise Networks

How Does Backdoor Work

To Evade the Detection, This Backdoor has been used with several layers of Encryption Process with the payload.

layers of Encryption

ShadowPad Backdoor will be Activated only when it received a special packet from Command & Control Server.

Before Received a Special Command it has an ability to Transfer only basic information such as computer, domain and user names and every 8 hours it uses to send this information.

Activation of the payload will be triggered by Special Domain called “nylalobghyhirgh.com” via specially crafted DNS TXT record.

The Backdoor will be Triggered by the first layer of C&C servers, later Backdoor will be Activated by the second Layer.

Layer of Processing by C2 server

The module performs a quick exchange with the controlling DNS server and provides basic target information (domain and user name, system date, network configuration) to the server. The C&C DNS server in return sends back the decryption key for the next stage of the code, effectively activating the backdoor,Kaspersky Said.

Communication Between the Module and C&C server will be fully encrypted  by proprietary algorithm and Each packet also contains an encrypted “magic” DWORD value “52 4F 4F 44”

Embedded Code Download and execute arbitrary code which is Provided by C&C Server and also it acts as a Modular Backdoor Platform.

This Backdoor also maintain a virtual file system (VFS) inside the registry that is encrypted and stored in a location unique to each victim.

Remote Access capabilities algorithm and Domains for C&C Severs keep changing each and every Month by the Group or individual behind of this Malware.

Kaspersky Conforms that, This Backdoor has been Activated  successfully in a company in Hong Kong.

Follow Domains are indicated the DNS Request for the Backdoor.

  • ribotqtonut[.]com
  • nylalobghyhirgh[.]com
  • jkvmdmjyfcvkf[.]com
  • bafyvoruzgjitwr[.]com
  • xmponmzmxkxkh[.]com
  • tczafklirkl[.]com
  • notped[.]com
  • dnsgogle[.]com
  • operatingbox[.]com
  • paniesx[.]com
  • techniciantext[.]com

All malicious files were removed from NetSarang website After Kaspersky reported to NetSarang.

Image Credits : Kaspersky

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

View Comments

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago