Powerful backdoor found in (digitally signed) software used by >100 banks and energy cos

[LASER_oneXM]

Advanced ShadowPad malware lurked in digitally signed products sold by NetSarang.

For 17 days starting last month, an advanced backdoor that gave attackers complete control over networks lurked in digitally signed software used by hundreds of banks, energy companies, and pharmaceutical manufacturers, researchers warned Tuesday.

The backdoor, dubbed ShadowPad, was added to five server- or network-management products sold by NetSarang, a software developer with offices in South Korea and the US. The malicious products were available from July 17 to August 4, when the backdoor was discovered and privately reported by researchers from antivirus provider Kaspersky Lab. Anyone who uses the five NetSarang titles Xmanager Enterprise 5.0, Xmanager 5.0, Xshell 5.0, Xftp 5.0, or Xlpd 5.0, should immediately review posts here and here from NetSarang and Kaspersky Lab respectively.

Covert data collection

The researchers said they discovered the backdoor after a Kaspersky Lab partner in the financial industry observed a computer used to perform transactions was making suspicious domain name lookup requests. The resulting investigation ultimately uncovered the malicious module that was added to the NetSarang products. So far, Kaspersky is aware of the backdoor being activated in one case, against an unnamed company located in Hong Kong.

Anyone who has updated their NetSarang software since August 4 should automatically be protected against this threat. Infections can also be detected using antivirus products from Kaspersky Lab and, presumably, from almost all its competitors. Out of an abundance of caution, all users of the affected software should take time to review their computers and network logs for signs they were infected. Kaspersky Lab's blog post contains indicators of compromise.