ShadowPad malware hid powerful backdoor in popular business software

16 Aug 2017

Supply chain attacks are an increasing threat. Image: Mohamed Abdulraheem/Shutterstock

Kaspersky uncovers a secret hiding in NetSarang that left hundreds of companies vulnerable to data theft.

Researchers at cybersecurity firm Kaspersky Lab have discovered an advanced backdoor in several digitally signed products sold by Korean software development company NetSarang.

Dubbed ShadowPad, the backdoor was planted in the software of five NetSarang products, where it remained undetected for 17 days, from 17 July to 4 August of this year.

The incident is being viewed as one of the largest known supply chain attacks, affecting software users from banks and pharmaceutical companies to energy suppliers.

According to Ars Technica, the malware was brought to the attention of antivirus provider Kaspersky Lab by a financial client that was concerned with suspicious domain name server (DNS) lookup requests being made by a computer. The Kaspersky team swiftly notified NetSarang of the backdoor, and an update of the affected software was released.

To date, the malicious module has only been activated in Hong Kong, according to a statement from Kaspersky Lab published yesterday (15 August). It recommended that all users install the updated versions of the affected NetSarang products to ensure the security of their data, as ShadowPad could still be lying dormant in locations scattered all over the world.

A call for vigilance

Igor Soumenkov, security expert at Kaspersky Lab, warned companies to be vigilant when it comes to their security maintenance in a world where cybercrime is mutating constantly.

“ShadowPad is an example of how dangerous and wide-scale a successful supply chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.

“Luckily, NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data-stealing attacks against its clients; however, this case shows that large companies should rely on advanced solutions capable of monitoring network activity and detecting anomalies.

“This is where you can spot malicious activity even if the attackers were sophisticated enough to hide their malware inside legitimate software.”

Supply chain attacks are a growing concern

The malicious versions of the NetSarang products were designed in a way that made them difficult to spot on affected company networks.

The main damage-causing functions of the malware weren’t activated until the infected machine received a special packet from the server. Information scraped from the DNS lookup requests included usernames, domain names and host names. Following the activation of the backdoor, infected systems would then be made vulnerable to data theft, surveillance and even deployment of other kinds of destructive malware.

NetSarang addressed the issue in a statement. “Regretfully, the Build release of our full line of products on July 18, 2017, was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator.

“The fact that malicious groups and entities are utilising commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com