<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img src="https://info.threatstop.com/hubfs/0000_Sec_Logo_with_tm.png" alt="0000_Sec_Logo_with_tm.png" width="320" style="width: 320px; display: block; margin-left: auto; margin-right: auto;"><span style="font-size: 12.1612px; background-color: transparent;">Certain versions of Xshell contain a backdoor that could allow for data exfiltration.</span></p> <!--more--> <p><a href="http://www.netsarang.com/">Xshell</a> is a popular secure terminal emulation program. It allows Windows devices remote access to *nix based systems via a secure connection. In August researchers discovered a backdoor in Xshell. This allows attackers to recover sensitive data from logged in Xshell sessions. The effected versions of Xshell are:</p> <ul> <li>Xmanager Enterprise 5.0 Build 1232</li> <li>Xmanager 5.0 Build 1045</li> <li>Xshell 5.0 Build 1322</li> <li>Xftp 5.0 Build 1218</li> <li>Xlpd 5.0 Build 1220</li> </ul> <p>The backdoor is in the nssock2.dll, shared by the compilations for these programs. While it isn’t entirely clear how the change to the DLL occurred, it’s believed that the attacker compromised a developer system, and changed the source for the DLL to incorporate a backdoor.</p> <p>Comparing the checksum value of your version of nssock2.dll to the following values will establish if it is a compromised copy:</p> <ul> <li>MD5: 97363d50a279492fda14cbab53429e75</li> <li>SHA-1: f1a181d29b38dfe60d8ea487e8ed0ef30f064763</li> </ul> <p>Alternatively, you can right-click the file in your installation directory select Properties, then Details and check the Product version. If it matches 5.0.0.26 then your file is the compromised version.</p> <p>To remediate this issue, download the latest version of the software (any update post-August 5th). This will remove the compromised version and install the latest version.</p> <p><strong>About the Backdoor</strong></p> <p>The malware itself captures login usernames and passwords for systems and exfiltrates the data to a third-party server where the data is later picked up by the attacker.</p> <p>Analysis of the DLL, shows that the hack gathers host information, and generates a month of <a href="https://dochub.threatstop.com/display/TS/D#D-_dga">DGA</a> data. After sweeping through the data to find the active server it uploads any information it has on servers and login information.</p> <p><strong>About the DNS Tunnel used by Xshell Ghost</strong></p> <p>To communicate with its <a href="http://dochub.threatstop.com/display/TS/C#C-_c&amp;c">C&amp;C</a>, Xshell Ghost opens a DNS Tunnel to pass data. This is a rather interesting choice for data exfiltration. By encapsulating data into the DNS protocol, the attacker is able to pass data through the <a href="http://dochub.threatstop.com/display/TS/D#D-_dns">DNS</a> protocol.</p> <p>Data is then exfiltrated by the Xshell Ghost by depositing victim data into a DNS resolver that is aware of the C&amp;C DGA. When the time is right the DNS resolver provides updated DNS records to the DGA, and the data is then transferred. This scatters the data across multiple DNS servers to avoid detection, and prevent ease of blocking the transfer.</p> <p><strong>How can ThreatSTOP Help?</strong></p> <p>ThreatSTOP blocks DGA domains like those used by XshellGhost. By enabling the <span>Botnet DGAs Tier 2 (Or specifically&nbsp;</span><span>XshellGhost in expert mode)</span> in your policy, DGA Domain protection is added to your policy and uploaded to your ThreatSTOP secured device.</p> <p>If you don’t have a ThreatSTOP account, If you do have a ThreatSTOP account, instructions to add targets to <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy">DNS</a> or <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall">IP</a> Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our team.</p></span>
