UPDATE–Police in Ukraine have confiscated several servers from the software company that develops the M.E. Doc accounting software that is believed to have been an unwitting part of the distribution process for the NotPetya ransomware.
Soon after the emergence of NotPetya last week, security researchers from several organizations zeroed in on the update mechanism for the M.E. Doc software as one of the initial distribution methods for the ransomware. Researchers at Eset analyzed a number of the updates sent to users of M.E. Doc in the last few weeks and said that several, but not all of them, contained a piece of malicious code that eventually was used to push the NotPetya ransomware to users of the legitimate software.
“During our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc’s source code,” Anton Cherepanov of Eset said in a post analyzing the updates.
“The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.”
On Wednesday, the Ukraine Cyberpolice said it had seized equipment from Intellect Services, the company that makes M.E. Doc, as part of its investigation into NotPetya. The department said it plans to conduct forensic analysis on the servers.
“In order immediate cessation of uncontrolled proliferation Diskcoder.C (new activity was recorded today) and the establishment of the criminals decided to conduct searches and retrieval software and hardware company ‘Intelligence Service’, through which spread SHPZ. Remote equipment will be sent for detailed analysis to research and development tools that allow users to detect infected and neutralize malicious code. During the search, the management and staff of fully facilitated in conducting investigations,” the Ukraine Cyberpolice said in a statement.
The officials also recommended that users “stop using the software ‘MEDoc’ and turn off the computer on which it is installed on the network.”
Executives at Intellect Services said in an interview with Reuters that the company had analyzed its source code and updates and “it is not infected with a virus and everything is fine, it is safe”. However, researchers with Cisco’s Talos team, who worked directly with Intellect Services on the response to the attack, said that after examining the company’s infrastructure and software, they had found evidence that attackers had indeed backdoored the M.E. Doc software.
“While we didn’t know it at the time, we can now confirm ESET’s research into the backdoor that had been inserted into the M.E.Doc software. The .net code in ZvitPublishedObjects.dll had been modified on multiple occasions to allow for a malicious actor to gather data and download and execute arbitrary code,” David Maynor, Aleksandar Nikolic, Matt Olney, and Yves Younan, of the Talos team said in a post on the investigation.
The researchers also said that the attackers who executed the NotPetya campaign likely have a backup attack infrastructure to work with now that this one has been exposed.
“In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software. This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor,” the said.
This story was updated at 3:26 PM on July 5 to add the information from Cisco.