ThreatSTOP Blog

Xshell Ghost – All Ex Machina, None of the Deus

Written by Jeremiah Jackson | October 9, 2017

Certain versions of Xshell contain a backdoor that could allow for data exfiltration.

Xshell is a popular secure terminal emulation program. It allows Windows devices remote access to *nix based systems via a secure connection. In August researchers discovered a backdoor in Xshell. This allows attackers to recover sensitive data from logged in Xshell sessions. The effected versions of Xshell are:

  • Xmanager Enterprise 5.0 Build 1232
  • Xmanager 5.0 Build 1045
  • Xshell 5.0 Build 1322
  • Xftp 5.0 Build 1218
  • Xlpd 5.0 Build 1220

The backdoor is in the nssock2.dll, shared by the compilations for these programs. While it isn’t entirely clear how the change to the DLL occurred, it’s believed that the attacker compromised a developer system, and changed the source for the DLL to incorporate a backdoor.

Comparing the checksum value of your version of nssock2.dll to the following values will establish if it is a compromised copy:

  • MD5: 97363d50a279492fda14cbab53429e75
  • SHA-1: f1a181d29b38dfe60d8ea487e8ed0ef30f064763

Alternatively, you can right-click the file in your installation directory select Properties, then Details and check the Product version. If it matches 5.0.0.26 then your file is the compromised version.

To remediate this issue, download the latest version of the software (any update post-August 5th). This will remove the compromised version and install the latest version.

About the Backdoor

The malware itself captures login usernames and passwords for systems and exfiltrates the data to a third-party server where the data is later picked up by the attacker.

Analysis of the DLL, shows that the hack gathers host information, and generates a month of DGA data. After sweeping through the data to find the active server it uploads any information it has on servers and login information.

About the DNS Tunnel used by Xshell Ghost

To communicate with its C&C, Xshell Ghost opens a DNS Tunnel to pass data. This is a rather interesting choice for data exfiltration. By encapsulating data into the DNS protocol, the attacker is able to pass data through the DNS protocol.

Data is then exfiltrated by the Xshell Ghost by depositing victim data into a DNS resolver that is aware of the C&C DGA. When the time is right the DNS resolver provides updated DNS records to the DGA, and the data is then transferred. This scatters the data across multiple DNS servers to avoid detection, and prevent ease of blocking the transfer.

How can ThreatSTOP Help?

ThreatSTOP blocks DGA domains like those used by XshellGhost. By enabling the Botnet DGAs Tier 2 (Or specifically XshellGhost in expert mode) in your policy, DGA Domain protection is added to your policy and uploaded to your ThreatSTOP secured device.

If you don’t have a ThreatSTOP account, If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our team.