Bad backdoor found in server software used by financial institutions

“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be," one researcher said.

Software security used globally by banks, energy firms and pharmaceutical manufacturers had a backdoor surreptitiously added by an advanced attacker that allowed a full takeover of target networks.

Kaspersky Lab researchers published a report on Tuesday warning about the backdoor, called ShadowPad, which affected products sold by NetSarang, a software company headquartered in the United States and South Korea. The backdoor was active from July 17 to Aug. 4, when it was sniffed out by Kaspersky researchers who found suspicious DNS requests in a Hong Kong financial institution using NetSarang’s software.

News of ShadowPad comes on the heels of June’s NotPetya outbreak. A backdoor in the Ukranian tax software M.E.Doc allowed attackers to push malware to victims through the software’s update feature, outlining how backdoored supply-chain attacks can lead to weaponized updates. Kaspersky pointed to other attacks similar to ShadowPad including the 2013’s WinNTi malware and 2015’s PlugX Trojan.

“ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be,” Kaspersky’s Igor Soumenkov said. “Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.”


The backdoor was actively exploited at least once in the Hong Kong financial company’s networks, Kaspersky confirmed, urging any other users to take immediate action — here’s the appropriate update — to identify affected software. The investigation is ongoing. The malicious entry point sits in the nssock2.dll library, from which it sends out basic information like computer, domain and user names every eight hours until it’s specifically activated by the attackers.

The extent of damage or exfiltrated data during incident at the Hong Kong company remain publicly unclear.

“Attribution is hard and the attackers were very careful to not leave obvious traces,” researchers wrote. “However certain techniques were known to be used in another malware like PlugX and Winnti, which were allegedly developed by Chinese-speaking actors.”

The affected products are Xmanager Enterprise 5.0, Xmanager 5.0, Xshell 5.0, Xftp 5.0 and Xlpd 5.0, according to NetSarang.

Latest Podcasts