NetSarang Xshell 5 Backdoor Trojan (ShadowPad)

critical Nessus Plugin ID 102713

Synopsis

The remote host contains an application that is affected by a trojan backdoor.

Description

The Xshell 5, a terminal emulator for Windows, installed on the remote host has a nssock2.dll file identified by its MD5 hash that is infected with a trojan backdoor.

The affected file includes an encrypted payload that could be remotely activated by a knowledgeable attacker.

Solution

Upgrade to Xshell 5 Build 1326 or later.

See Also

https://securelist.com/shadowpad-in-corporate-networks/81432/

http://www.nessus.org/u?8956bf87

Plugin Details

Severity: Critical

ID: 102713

File Name: netsarang_xshell_5_trojan.nasl

Version: 1.4

Type: local

Agent: windows

Family: Windows

Published: 8/23/2017

Updated: 8/8/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: SMB/Registry/Enumerated

Patch Publication Date: 8/5/2017

Vulnerability Publication Date: 8/4/2017