Kaspersky Labs hunt down NetSarang’s malicious module

Kaspersky Lab experts have discovered a backdoor, which allows attackers to steal data or download malicious modules when activated.

The backdoor was found in a server management software product by NetSarang, a server management security company.

Following the discovery, Kaspersky Lab researchers immediately contacted NetSarang, who reacted by releasing an updated version of the software without the malicious code.

An investigation revealed the source of these requests was server management software produced by a legitimate company, used by hundreds of customers in financial services, education, telecoms, manufacturing, energy, and transportation.

Security expert at Kaspersky Labs, Igor Soumenjov, said: “Most likely it will be reproduced again and again with some other widely used software component. Luckily NetSarang was fast to react to our notification and released a clean software update, most likely preventing hundreds of data stealing attacks against its clients.

“However, this case shows that large companies should rely on advanced solutions capable of monitoring network activity and detecting anomalies. This is where you can spot malicious activity even if the attackers were sophisticated enough to hide their malware inside legitimate software.”

Kaspersky Lab researchers found that the malicious module had been activated in Hong Kong, which could be linked to PlugX malware variants used by the Winnti APT, a known Chinese-speaking cyberespionage group.

NetSarang added in a statement: “To combat the ever-changing landscape of cyber attacks NetSarang has incorporated various methods and measures to prevent our line of products from being compromised, infected, or utilised by cyberespionage groups.

“The fact that malicious groups and entities are utilising commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”

Kaspersky Lab advises users to immediately update the latest version of NetSarang software, from which the malicious module has been removed.

Written from press release by Leah Alger