A powerful malware dubbed 'ShadowPad' was discovered and planted in a server management software product that is used by hundreds of large businesses worldwide. The malicious software was discovered by researchers at Kaspersky Lab. It was discovered that when the software was activated it would open a 'backdoor' that allowed attackers to download malicious modules and steal data. Kaspersky Lab has alerted NetSarang, the affected software vendor, and as a result, the company removed the malicious code and released an update for its customers. ShadowPad is one of the largest known supply-chain attacks and had the threat not been detected and patched quickly, it could have potentially targeted hundreds of organisations worldwide, stated Kaspersky Lab.
The affected products included NetSarang’s Xmanager Enterprise 5.0, Xmanager 5.0, Xshell 5.0, Xftp 5.0, and Xlpd 5.0, were available between July 17th and August 4th. Kaspersky Lab’s Global Research and Analysis Team (GReAT) was approached by a financial institution with regards to a suspicious domain name server request that originated on a system that involved financial transactions. After investigating further, it was discovered that the vendor did not mean for the software to make these requests. Later, the researchers found that the suspicious requests were a result of the activity of a malicious module hidden inside a recent version of the legitimate software.
After the software was downloaded in the servers, it would essentially send domain name server-queries that consisted of basic information about the victim's system – user name, domain name, host name – to specific domains every eight hours. If the attackers felt that the system was benefiting their personal interests, the command server would reply and subsequently activate a fully-fledged 'backdoor' platform, which would download and execute the malicious code. Kaspersky Lab was quick to inform NetSarang regarding this, following which; the company released an updated version of the software without the malicious code.
According to the Kaspersky Lab research, the malicious module has been activated in Hong Kong, but it is believed that many other systems worldwide have been affected by it. Users are requested to install the updated version of the affected software, in order to safeguard their systems against cyber attacks.
The video below explains what malware is and the difference between malicious software and a virus.