Kaspersky Lab

**Name of the Vulnerable Software and Affected Versions** NetSarang Xmanager Enterprise versions 5.0 Build 1232 through 5.0 Build 1236 NetSarang Xmanager versions 5.0 Build 1045 through 5.0 Build 1049 NetSarang Xshell versions 5.0 Build 1322 through 5.0 Build 1326 NetSarang Xftp versions 5.0 Build 1218 through 5.0 Build 1222 NetSarang Xlpd versions 5.0 Build 1220 through 5.0 Build 1224 **Description** The software contains a malicious `nssock2.dll` library that implements a multi-stage, DNS-based backdoor. The library establishes contact with a command and control (C2) DNS server using a specially crafted TXT record for a month-generated domain. Upon receiving a decryption key, it downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) within the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. An instance of exploitation was identified in the wild in August 2017. **Recommendations** Update NetSarang Xmanager Enterprise to build 1236. Update NetSarang Xmanager to build 1049. Update NetSarang Xshell to build 1326. Update NetSarang Xftp to build 1222. Update NetSarang Xlpd to build 1224.