Attackers modified at least five software packages distributed by network connectivity and server management solutions provider NetSarang in order to infect its business users with modular backdoor spyware. A financial institution detected suspicious DNS requests on systems related to the processing of financial transactions and contacted Kaspersky Lab.

Kaspersky reported that the ShadowPad files delivered an encrypted payload capable of remotely downloading and executing arbitrary code, uploading files, creating processes, and storing data in a virtual file system contained within the victim’s registry. The injection worked in a similar way as the CCleaner injection:

  • Using a tiered architecture that stops the backdoor from activating until a designated command-and-control (C&C) server sends a specially crafted DNS TXT record for a specific domain. The attackers implemented a domain generation algorithm for these C&C servers.
  • If the data sent during the DNS request wass interesting, the Command and Control (C&C) servers respond and activate the backdoor.
  • Once the payload was activated, the module exchanged data with the server, which sent backs a decryption key for the next stage of the code.
  • With the backdoor activated, attackers could upload files, create processes, and store information in a VFS contained within the victim’s registry. The VFS and any additional files created by the code were encrypted and stored in locations unique to each victim.

Some of the techniques used were also used to spread the PlugX remote access tool and Winnti backdoor programs, allegedly developed by Chinese-speaking authors.

NetSarang removed the ShadowPad files and updated its software, published a message with the Kaspersky findings, communicated via e-mail and inside the software with its customer base, and built “additional security protocols and checks” (migrated to an entirely new and separate network infrastructure where each device is wiped, examined, verified, and whitelisted) to minimise the risk that future releases are injected in the same way.