Software maker admits attackers hid backdoor in entire suite of products

South Korea's NetSarang holds hands up to 'ShadowPad' backdoor hack of its server management products

South Korean software maker NetSarang, which makes connectivity software widely used by banks and infrastructure companies, has admitted that recent builds of all its software products were shipped with backdoors believed to have been slipped-in by hackers from mainland China.

The malware was picked up in an investigation by Kaspersky after a client reported unusual network activity. Kaspersky claims that the tools, techniques and procedures point to PlugX malware variants used by the Chinese Winnti APT cyber-espionage group.

In a statement issued this week the company admitted the flaws: "On Friday 4 August 2017, our engineers, in cooperation with Kaspersky Labs, discovered a security exploit in our software specific to... Builds which were released on 18 July 2017. As of 15 August 2017, Kaspersky Labs has discovered a single instance of this exploit being utilized in Hong Kong."

The security flaws affect the following products:

The company was keen to assert that only those builds were affected. "If you are using any of these above listed Builds, we highly recommend you cease using the software until you update your clients. The exploit was effectively patched with the release of our latest Build on August 5th, so if you've already updated, then your clients are secure."

It added that anti-virus software makers had been informed of the issue and that up-to-date anti-virus software ought to identify any of the affected DLL files. Kaspersky detects the malware, dubbed ShadowPad, as "Backdoor.Win32.ShadowPad.a".

The ShadowPad backdoor, when activated, would enable the hackers to download further malicious modules or to exfiltrate data, Kaspersky warned.

"In July 2017, Kaspersky Lab's Global Research and Analysis Team (GReAT) was approached by one of its partners, a financial institution. The organisation's security specialists were worried about suspicious DNS (domain name server) requests originating on a system involved in the processing of financial transactions," claimed Kaspersky in an advisory.

It continued: "Further investigation showed that the source of these requests was server management software produced by a legitimate company and used by hundreds of customers in industries like financial services, education, telecoms, manufacturing, energy and transportation. The most worrying finding was the fact that the vendor did not mean for the software to make these requests.

"Further Kaspersky Lab analysis showed that the suspicious requests were actually the result of the activity of a malicious module hidden inside a recent version of the legitimate software.

"Following the installation of an infected software update, the malicious module would start sending DNS-queries to specific domains (its command and control server) at a frequency of once every eight hours. The request would contain basic information about the victim's system (user name, domain name, host name).

"If the attackers considered the system to be ‘interesting', the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code."

Kaspersky claims that NetSarang reacted fast to rectify the security problem as soon as it was notified.

The attack is the latest in what is known as a supply chain attack, in which a critical element in an organisation's supply chain - in this case a software company - is compromised in order to hit other organisations that it does business with.

The most devastating supply chain attack in recent years was the NotPetya malware outbreak, which exploited security shortcomings on the update servers of Ukrainian accounting software company ME Doc to wreak havoc on companies in Ukraine and around the world.

Shipping company Maersk has pinned the cost of NotPetya - including cleaning up after it, as well as revenues foregone as a result of the chaos it caused - at as high as $300m. The total global cost of the malware, which has been linked with Russia, could easily top $1bn.

Kaspersky has published in-depth analysis of the ShadowPad malware on its SecureList website.