NetSarang Products DNS-Based Backdoor Vulnerability Allowing Remote Code Execution

A backdoor has been identified in multiple NetSarang products, including Xmanager Enterprise, Xmanager, Xshell, Xftp, and Xlpd, all version 5.0. The backdoor is embedded in a malicious DLL file, nssock2.dll, which implements a multi-stage, DNS-based attack. The dormant library contacts a command and control (C2) server via a specially crafted TXT record for a domain generated based on the current month. After receiving a decryption key, the backdoor activates, allowing the download and execution of arbitrary code. It also creates an encrypted virtual file system in the registry, granting attackers full remote code execution capabilities, data exfiltration, and persistence on the compromised system.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the affected system, with the added risks of data exfiltration and persistent access for the attacker.

Remediation

NetSarang has released updated versions for each affected product that remove the malicious code. Users should update to the latest version: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224.