"Kaspersky Lab" found in the widespread server software NetSarang malicious program ShadowPad, which has the functionality of the backdoor.

It is reported that malicious was found during the investigation of suspicious activity in the corporate network of an unnamed financial organization. In general, the users of NetSarang software from various industries were at risk, many of them are organizations from the Fortune 500 list.

During the investigation, it was found that in the system that processes financial transactions of the affected organization, suspicious DNS requests began to appear. Their source was the legitimate software for server management: cybercriminals introduced malicious code into it to steal data from corporate networks of large companies.

Hidden malware every eight hours is associated with the command center of intruders. The transmitted data packets contain basic information about the victim company's system. In the event that a potential victim is of interest to attackers, a response request is sent from the command server, activating a malicious program previously loaded into the system, which in turn can load and run other malicious modules.

At the moment, ShadowPad is activated in the Asia-Pacific region. However, it can remain inactive in many systems around the world. NetSarang has already removed malicious code from its product and released a vulnerability update.

Kaspersky Lab adds that the techniques and tools used in this cybercampaign are very similar to those used in the attacks of the Chinese-speaking grouping WinNTi. However, until the clear connection between these attacks could not be established.