Shadowpad

ShadowPad is a backdoor Trojan that can give a remote attacker control over your computer. Its payload includes avenues for collecting confidential information from the system or installing and running other threats. Update your NetSarang software for eliminating infection vectors for its campaign and have a dedicated anti-malware solution remove ShadowPad as soon as possible.

The Shadow that Slipped into an Update Cycle

Nearly all Trojans' attacks, ultimately, fall upon the heads of users inviting them inside in the first place. Rare exceptions, however, do exist, such as zero-day attacks that use non-publicly-known vulnerabilities for their drive-by-downloads. Readers also may witness another modus operandi in the ShadowPad campaign: compromising legitimate program updates for gaining access to that product's clientele.

ShadowPad is a successful example of this style of attack quantitatively, and its attacks could have compromised hundreds of organizations around the entire world, including any businesses or governments using NetSarang products. The corrupted downloads, which the company has long since removed, include Xmanager Enterprise 5 Build 1232, Xmanager 5 Build 1045, Xshell 5 Build 1322, Xftp 5 Build 1218, and Xlpd 5 Build 1220. Unbeknownst to the developer, threat actors compromised the supply chain and inserted a basic downloader for ShadowPad.

ShadowPad's dropper follows what malware experts note is SOP for high-level cyber-espionage: collecting system stats and giving them over to the C&C, which may or may not respond with instructions for escalating the attack. Optionally, the Command & Control actives a previously-dormant backdoor feature – the defining payload of ShadowPad. Through this backdoor Trojan, they can launch new processes, upload files to their C&C, and covertly save other data for collecting at a later date.

Padding Away Lightly from Backdoor Problems

The only way that past infection strategies for ShadowPad can endanger systems is by the user's downloading one of the noted updates and stopping at that point, instead of continuing with patching their systems regularly. Modern versions of NetSarang products shouldn't be at risk from the 2017 implementation of ShadowPad's dropper, although the company hasn't made public any details about how their patch delivery system came to be compromised. ShadowPad's campaign does have some resemblance to PlugX attacks from the Winnti group of threat actors, which suggests a heightened risk to targets that are of interest to China-resident hackers.

A backdoor Trojan like ShadowPad raises few symptoms, even for normally-alert users. Network activity corresponding to contact with a corrupted domain is one of the few ways that organizations can identify infections, and AV vendor Kaspersky is providing a full list of the relevant sites. Always respond to infections by disabling network connectivity and removing ShadowPad with an appropriate anti-malware service.

The usual conversation between a Trojan's victim and the rest of the cyber-security industry involves querying what the user did wrong in the first place. With ShadowPad, the mistake can be nothing worse than downloading an update, which is why it's so vital to make a habit of staying abreast of security hotfixes and rollbacks.

Technical Details