NetSarang Products DNS-Based Backdoor Vulnerability Allowing Remote Code Execution

A backdoor vulnerability has been identified in multiple NetSarang products, including Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220. The backdoor is embedded in a malicious DLL file named nssock2.dll, which implements a multi-stage, DNS-based attack. The dormant library contacts a command and control (C2) server via a specially crafted TXT record for a domain generated based on the current month. After receiving a decryption key, the backdoor downloads and executes arbitrary code, creates an encrypted virtual file system in the registry, and allows full remote code execution, data exfiltration, and persistence for the attacker.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the affected system, with the added risks of data exfiltration and persistence of the backdoor on the system.

Remediation

NetSarang has released updated versions for each affected product that remove the malicious code. Users should update to the latest version: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224.