PINDROP BLOG

Makers of ME Doc Software Say They’ve Closed Backdoor Used By NotPetya

The makers of the M.E. Doc software that has been at the center of the NotPetya malware story say they have produced an updated version of the application that does not include the backdoor that had been slipped in by attackers several months ago.

“M.E.Doc has created an update that will ensure safe work in the program. This was reported by SEA ‘IT-expert’ Alesya Bilousova. ‘Today, we officially handed the Cyberpolice update 190, which removes the malware (backdoor) from our product. After its inspection, the Department of Cyberpolicians will provide its findings, and I hope tomorrow we will be able to launch it,’ – said the representative of the company. The update mentioned contains enhanced protection from the virus-encryptor,” a statement from the company on Facebook says.

The company has not pushed the update to customers yet, as it is still in the hands of Ukrainian law enforcement officials.

The news of the update comes two days after agents from the Ukraine Cyberpolice went to the offices of Intellect Services, the company that makes the M.E. Doc accounting software, and confiscated a number of servers used to deliver updates to customers. Security researchers and forensic experts working directly with the company said they had found direct evidence that attackers had been able to insert a backdoor into software updates for M.E. Doc that had been pushed to customers over the last several weeks.

Researchers from Cisco’s Talos team worked on site at Intellect Services and said that their findings matched up with those produced independently by researchers at Eset, who found a stealthy backdoor in the M.E. Doc software. The software, which is used by a large number of Ukrainian businesses, was then used as the main propagation mechanism for the NotPetya malware.

“While we didn’t know it at the time, we can now confirm ESET’s research into the backdoor that had been inserted into the M.E.Doc software.  The .net code in ZvitPublishedObjects.dll had been modified on multiple occasions to allow for a malicious actor to gather data and download and execute arbitrary code,” David Maynor, Aleksandar Nikolic, Matt Olney, and Yves Younan, of the Talos team said in a post on the investigation.

Experts initially assumed NotPetya was ransomware, because of its infection screen that demanded Bitcoin to decrypt the victim’s files. But they quickly found that the ransom demand was a ruse and that NotPetya was in fact erasing data on infected machines, including the master boot record. Researchers discovered that the attackers behind this campaign likely had access to the compromised PCs for several weeks before they decided to push the NotPetya malware to them, thanks to the backdoor in M.E. Doc. Why the attackers made the decision to burn their access to these organizations for a faux ransomware campaign is unclear.

Intellect Services did not specify when it would be able to issue the clean update.

CC By license image from Tawheed Manzoor
Webinar: TACKLING THE 113% FRAUD INCREASE IN CALL CENTERS