ESET security researchers have performed a detailed analysis of a stealthy backdoor used by the group behind the NotPetya destructive wiper and injected into the legitimate resources of tax accounting software M.E.Doc earlier this year.
Masquerading as ransomware, NotPetya was eventually found to be a wiper designed mainly to destroy data rather than hold it for ransom, and security researchers connected it to the persistent threat group TeleBots, which has launched several cyber-attacks against Ukraine before.
Previously referred to as BlackEnergy and Sandworm, the group allegedly compromised M.E.Doc earlier this year and injected their own code into one of the application’s modules. The malicious module was then pushed as an update to M.E.Doc clients and then used to distribute malware into the networks of these companies.
“It seems very unlikely that attackers could” inject a “very stealthy and cunning backdoor” into one of the software’s legitimate modules “without access to M.E.Doc’s source code,” ESET notes. Named ZvitPublishedObjects.dll, the backdoored module is written using the .NET Framework, is 5MB in size, and “contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.”
The malicious module was part of at least three updates released this year, on April 14, May 15, and June 22, yet M.E.Doc doesn’t appear to have been aware of the compromise, as several updates between April 24 and June 21 didn’t contain the backdoor. The malicious module was used for malware distribution at least twice: to drop the XData ransomware in May and NotPetya in June, ESET says.
“The main backdoor class is named MeCom and it is located in the ZvitPublishedObjects.Server namespace […]. The methods of the MeCom class are invoked by the IsNewUpdate method of UpdaterUtils in the ZvitPublishedObjects.Server namespace. The IsNewUpdate method is called periodically in order to check whether a new update is available,” ESET explains.
The attackers, ESET researchers say, knew exactly which organizations in Ukraine were using the backdoored M.E.Doc, courtesy of a unique legal entity identifier called the EDRPOU number that each company doing business in Ukraine has. Thus, the group could use tailored tactics against the computer network of the targeted organization, depending on their goals.
In addition to the EDRPOU numbers, the backdoor was used to collect proxy and email settings, including usernames and passwords, from the M.E.Doc application. The harvested information was written “into the Windows registry under the HKEY_CURRENT_USERSOFTWAREWC key using Cred and Prx value names.” These values can be used as evidence of compromise, ESET says.
The backdoor was using the M.E.Doc’s regular update check requests to the official M.E.Doc server upd.me-doc.com[.]ua to send the collected information in cookies. By not using external servers for command and control and not generating abnormal network traffic, the backdoor could remain completely hidden on the compromised networks.
Although forensic analysis on the M.E.Doc server wasn’t performed, ESET believes the server was compromised, especially since a PHP backdoor was found in a FTP directory on it. The researchers suggest that the attackers deployed on the server software allowing them to differentiate the requests coming from compromised machines.
The backdoor also includes code that allows the attackers to control the infected machines through a binary blob received via the official M.E.Doc server. After decryption and decompression, the binary reveals “an XML file that could contain several commands at once.”
“This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time,” ESET notes.
Supported commands include RunCmd – shell command execution; DumpData – Base64 data decoding; MinInfo – information gathering (OS version, bitness (32 or 64), current privileges, UAC settings, proxy settings, email settings including login and password); GetFile – file collection; and Payload and AutoPayload – payload execution (as executable or as DLL – via rundll32.exe).
“As our analysis shows, this is a thoroughly well-planned and well-executed operation. We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors,” ESET concludes.
The security researchers also note that further analysis is required to learn for how long the backdoor has been in use and whether the channel was used to push other commands and malware as well. They also note that there’s a possibility that the group might have compromised other software update supply chains but haven’t weaponized them yet.
Related: Ukraine Power Grid Attacks Part of a 2-Year Campaign
Related: BlackEnergy, KillDisk Infect Ukrainian Mining, Railway Systems