Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • ShadowPad Malware Backdoor in Digitally Signed Software Update

    Home Forums Code Red – Security advisories ShadowPad Malware Backdoor in Digitally Signed Software Update

    This topic contains 2 replies, has 1 voice, and was last updated by  Kirsty 9 months, 1 week ago.

    • Author
    • #129708 Reply

      AskWoody MVP

      Attackers Backdoor Another Software Update Mechanism
      by Michael Mimoso | August 15, 2017

      The attack is just the latest where nation-state actors, or cybercriminals, have infiltrated a software supply chain provider and infected a trusted update mechanism. The source of the ExPetr/Not Petya wiper malware attacks, for example, was linked to a Ukrainian financial software provider called MeDoc. Attackers compromised its update mechanism and swapped in a phony update that included NotPetya, which was originally believed to be a ransomware attack similar to WannaCry.

      Kaspersky Lab said the backdoor, called ShadowPad, is a modular platform that can be used to download and execute arbitrary code, create processes, and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim. The researchers said they can confirm activated payloads in the Asia Pacific region.

      “Given that the NetSarang programs are used in hundreds of critical networks around the world, on servers and workstations belonging to system administrators, it is strongly recommended that companies take immediate action to identify and contain the compromised software,” Kaspersky Lab said.

      Read the full article here

      1 user thanked author for this post.
    • #129711 Reply

      AskWoody MVP

      ShadowPad in corporate networks
      By GReAT | August 15, 2017

      In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.

      Further investigation showed that the source of the suspicious DNS queries was a software package produced by NetSarang. Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks. The company maintains headquarters in the United States and South Korea.

      The article includes a technical details .pdf.

      1 user thanked author for this post.
    • #129712 Reply

      AskWoody MVP

      Powerful backdoor found in software used by >100 banks and energy cos.
      Advanced ShadowPad malware lurked in digitally signed products sold by NetSarang.

      By Dan Goodin | August 16, 2017

      For 17 days starting last month, an advanced backdoor that gave attackers complete control over networks lurked in digitally signed software used by hundreds of banks, energy companies, and pharmaceutical manufacturers, researchers warned Tuesday.

      The backdoor, dubbed ShadowPad, was added to five server- or network-management products sold by NetSarang, a software developer with offices in South Korea and the US. The malicious products were available from July 17 to August 4, when the backdoor was discovered and privately reported by researchers from antivirus provider Kaspersky Lab. Anyone who uses the five NetSarang titles Xmanager Enterprise 5.0, Xmanager 5.0, Xshell 5.0, Xftp 5.0, or Xlpd 5.0, should immediately review posts…from NetSarang and Kaspersky Lab.

      The attack is the latest to manipulate the supply chain of a legitimate product in hopes of infecting the people who rely on it. The NotPetya worm that shut down computers around the world in June used the same tactic after attackers hijacked the update mechanism for tax software that was widely used in Ukraine. Supply-chain attacks that targeted online gamers included one used to spread the PlugX trojan in 2015 and the malware dubbed WinNTi in 2013.

      Read the full article here

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: ShadowPad Malware Backdoor in Digitally Signed Software Update

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:

    Comments are closed.