Critical Xshell Backdoor Alert: How Malicious DLLs Leak Data and What to Do

Brief

Recently, the widely used remote terminal Xshell was found to contain a backdoor. Users running trojanized Xshell versions may have sensitive information leaked to attackers.

Affected Systems

Xshell 5.0 Build 1322

Xshell 5.0 Build 1325

Xmanager Enterprise 5.0 Build 1232

Xmanager 5.0 Build 1045

Xftp 5.0 Build 1218

Xlpd 5.0 Build 1220

Technical Details

The network communication component nssock2.dll used by Xshell carries backdoor code. Although the DLL bears a legitimate vendor signature, multiple security vendors flag it as malicious.

360 Threat Intelligence Center discovered that the DLL can load and execute shellcode which collects host information and generates a monthly DGA domain for DNS resolution. Example domains include:

nylalobghyhirgh.com (August)

vwrcbohspufip.com (June)

ribotqtonut.com (July)

jkvmdmjyfcvkf.com (September)

bafyvoruzgjitwr.com (October)

These domains receive massive DNS queries (up to 8 million on August 3), all of type NS, suggesting they are used for data exfiltration rather than command‑and‑control.

Impact

Users of compromised Xshell versions risk leaking credentials and other sensitive data from the local machine or any remote systems they manage.

Solution

Check whether your Xshell version matches any of the affected builds. If network logs show DNS queries to the listed IOC domains, an internal machine is likely using the backdoored version.

Upgrade to Xshell Build 1326 or later, which resolves the issue, and change all related usernames and passwords. Download the latest version from the official site: https://www.netsarang.com/download/software.html

IOC

Domain: vwrcbohspufip.com – June DGA

Domain: ribotqtonut.com – July DGA

Domain: nylalobghyhirgh.com – August DGA

Domain: jkvmdmjyfcvkf.com – September DGA

Domain: bafyvoruzgjitwr.com – October DGA

File hash: 97363d50a279492fda14cbab53429e75 (nssock.dll)

Expert Advice

Security Operations Director Lei Bing (Ctrip) recommends immediately verifying the Xshell version, removing any infected copies, and promptly changing server passwords. Implement source‑IP restrictions, two‑factor authentication, bastion hosts, or certificate‑based access to mitigate credential leakage. Only download tools from official sources, automate log anomaly detection, and deploy host‑based IDS for early threat detection.

Reference

https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html