Recently a lot of Black hat hackers have managed to intrude into a popular Server Management software package through the update mechanism and have managed to include an advance back-door, which has a life line of 17 days before the researchers have realized and discovered it . The back-door name given to the back-door is called Shadow-Pad, this secret back-door can give the attackers a complete control over the network and this has given them the access to a network that is being hidden through a cryptographically signed software that is distributed by NetSarang. This software is is being used by multiple organization such as banks,media companies, telecommunication providers, logistics and transport , and many more
Warning to be taken into account
if you are using of the affected product (below), we highly recommend you to take an immediate alternation until a patch is found and updated
Black hat-Hackers inject Back-door by using the Software Update Mechanism
Kaspersky Labs, have discovered this well-hidden back-door, by being able to capture the NetSarang's update mechanism which was a victim of a silent back-door insertion in the software update, which would then silently deliver a malicious code to all of the NetSarang's user who use legitimate signed certificate.
This mechanism was also used by the Petya/NotPetya ransomware which occurred in June later this year but they have used it on a Ukrainian Financial software provider who is known by the name MeDoc.
The location of the back-door is in nssock2.dll library in NetSarang's X manager and X shell software suite which was established live on the 18th of July by NetSarang on their website.
When the researchers for kaspersky labs made the discovery they summited and private report to the company on august 4 and as an immediate action they company pulled down the compromised software and made a solution by replacing and clean and previous version.
The affected software in NetSagarang's
Xmanager Enterprise 5.0 Build 1232
Xmanager 5.0 Build 1045
Xshell 5.0 Build 1322
Xftp 5.0 Build 1218
Xlpd 5.0 Build 1220
Commands that can be Remotely Triggered
ShadowPad code is hidden into several layers of encrypted code which could be decrypted only of intended to.If this decryption is not performed it will be pinging for every 8 hours to a command-control server with the details of the compromised system which contains User-name,Domain-name and Network details.
How the Back-door is being activated
The back-door is triggered by DNS TXT which is crafted specially to record domain name which generate a domain name based on the current month and year which is the performed a DNS lookup on the domain. When the back-door is being triggered the command-control server send a decryption key which is then downloaded by the software which will then move on to the next stage which i make the back-door active effectively .
How to detect this Back-door and protect your company
As i have previously mentioned that the company has given a solution by replacing it with a clean and stable version. And anyone who as not made this changes please do it. Please make sure that there were no DNS request were made from your organization if so please block the following domains.
ribotqtonut[.]com
nylalobghyhirgh[.]com
jkvmdmjyfcvkf[.]com
batyvoruzgjitwr[.]com
xmponmzmxkxkh[.]com
tczafklirkl[.]com
notped[.]com
dnsgogle[.]com
operatingbox[.]com
paniesx[.]com
techniciantext[.]com
The final solution use NetSarang installation kits from April which does not contain malicious library.
Hi. I am a volunteer bot for @resteembot that upvoted you.
Your post was chosen at random, as part of the advertisment campaign for @resteembot.
@resteembot is meant to help minnows get noticed by re-steeming their posts
To use the bot, one must follow it for at least 3 hours, and then make a transaction where the memo is the url of the post.
If you want to learn more - read the introduction post of @resteembot.
If you want help spread the word - read the advertisment program post.
Steem ON!
Congratulations @christo-xploit! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
You published your First Post
You made your First Vote
You got a First Vote
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP