A group with possible links to Chinese hackers has managed to break into the servers of NetSarang — a South Korean software maker — and has hidden a backdoor in the company’s software packages.
According to Kaspersky Lab researchers, who spotted the backdoor in NetSarang applications last month, attackers published backdoored apps that were signed with a legitimate NetSarang certificate.
This discovery has led researchers to believe that attackers either took the company’s legitimate apps and patched the software to add the backdoor trojan, or they managed to breach NetSarang’s software build servers, where they added the backdoor to the source code itself and generated new app builds.
The hackers then replaced the legitimate NetSarang software packages with trojanized versions on the company’s official download servers.
Attackers backdoored five NetSarang applications
At the time of writing, Kaspersky says that the following NetSarang applications have been found sporting the backdoor:
Xmanager Enterprise 5 Build 1232
Xmanager 5 Build 1045
Xshell 5 Build 1322
Xftp 5 Build 1218
Xlpd 5 Build 1220
Attackers waited for companies to download and install versions of the trojanized apps. Once they infected a victim, the attackers used the backdoored software to upload files on infected computers, store data in a virtual filesystem (VFS), and run apps and create processes to execute malicious code.
The backdoor trojan communicated with the attackers’ command and control servers via DNS requests. It was this sudden surge in suspicious DNS requests that drew the attention of Kaspersky researchers and led to the backdoor’s discovery.
Kaspersky informed NetSarang, who cleaned its servers and issued new updates to overwrite any malicious installations on customers’ computers.
Software is popular in enterprise environments
The whole incident is more dangerous than it looks. The reason is that NetSarang is one of the premiere software suppliers for a number of large organizations.
The South Korean company doesn’t list customer names on its website but says that its remote management software is installed on the networks of companies in almost all industry sectors such as banking, finances, insurance, energy, media, IT, electronics, transportation, telecommunications, manufacturing, retail, logistics, and others.
Investigating artifacts from the incident, Kaspersky says that the backdoor trojan, which they named ShadowPad, uses techniques observed in other backdoor trojans such as PlugX or Winnti, both the work of Chinese hackers activating in political and economical espionage.
The NetSarang incident is not the first time hackers breached a company’s supply chain. Chinese cyber-espionage unit APT10 has been hacking cloud providers since late 2016 as a way to penetrate the secure networks of companies that use their services. In June this year, Russian cyber-espionage group TeleBots breached the server of M.E.Doc and deployed a trojanized software update to deploy the NotPetya ransomware. This year, the Cobalt (FIN7) economical espionage group also delved into supply chain attacks by leveraging the infrastructure and accounts of actual employees at one company, in order to forge convincing emails targeting a different partner organization.
MD5 and SHA1 hashes for each trojanized software package are available here, along with domain names associated with the malicious DNS requests. A technical report on the trojan’s modus operandi is available here.