M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013

Servers and infrastructure belonging to Intellect Service, the business enterprise in the back of the M.E.Doc accounting software program, had been grossly mismanaged, being left without updates on account that 2013, and getting backdoored on three separate events throughout the beyond three months.


The records come from several security researchers who have analyzed the servers, however additionally from Ukrainian authorities, who on Tuesday, two days ago, seized the company’s servers.

Attackers won get entry to M.E.Doc thru worker login. One of the maximum credible resources for this record is Cisco, who despatched on-the-floor professionals to research the M.E.Doc servers, the origin point of the NotPetya ransomware outbreak.

In a document released last night time, Cisco experts say that the NotPetya institution — suspected to be a cyber-espionage institution named TeleBots — had infiltrated the company’s infrastructure by having access to an employee’s credentials.


Cisco says the NotPetya gang used those credentials to embed a backdoor inside the M.E.Doc software package deal, but additionally, place a PHP web shell on the business enterprise’s net server. NotPetya organization inserts backdoor in M.E.Doc software.

Related Articles : 

The M.E.Doc software program backdoor was hidden in a file named “ZvitPublishedObjects.Dll,” part of the M.E.Doc software program installation/replace bundle. ESET has an in-depth file on how this backdoor works.

Both ESET and Cisco showed that the TeleBots crew shipped this backdoor a part of three M.E.Doc software updates on 3 separate events. M.E.Doc model 01.A hundred seventy five-10.01.176, released on 14th of April 2017 M.E.Doc model 01.180-10.01.181, launched on 15th of May 2017 M.E.Doc version 01.188-10.01.189, released on the twenty-second of June 2017. The backdoor inside the code allowed attackers to execute code on computers where M.E.Doc became set up; that’s how they sent the NotPetya ransomware to customers and corporations that set up these booby-trapped updates.

The first of those tainted M.E.Doc software updates appear to be a look at, while the second and 1/3 were used to push the XData and NotPetya ransomware. Backdoor changed into very state-of-the-art, surprisingly stealth according to ESET researcher Anton Cherepanov, the backdoor is very state-of-the-art and used a few creative hints. For example, the backdoor did not speak with an outside command-and-manipulate server.

The TeleBots (NotPetya) institution hosted their C&C server right on Intellect Service’s M.E.Doc update server at upd.Me-doc.Com[.]ua. Furthermore, all communications with those servers were disguised as everyday cookies. This allowed the group to cover any malicious operations as legitimate site visitors that would have by no means caught the attention of any researcher.

M.E.Doc server remaining up to date in February 2013

This becomes viable because the M.E.Doc software program replaces the mechanism ran on a woefully insecure server. A blog publishes by Fujitsu’s UK team lists a series of inclined structures that ran at the server, inclusive of old OpenSSH, net server, and FTP software.


Dmytro Shymkiv, the Deputy Head of the Presidential Administration of Ukraine, instructed Reuters the day before today that Intellect Service had no longer installed any updates on the affected servers seeing that February 2013. The lack of a nicely secured server allowed the TeleBots group to put in a PHP document named medoc_online.Php, which received or sent instructions from/to the backdoor inserted inside the M.E.Doc software program client.

PHP web shell on M.E.Doc update server

According to Cisco, all through the NotPetya outbreak, this file relayed site visitors to an OVH server controlled remotely from a Latvian IP. Connections to the OVH server started and ended within the equal time frame as the NotPetya ransomware outbreak. Below is an infographic supplied by using Cisco detailing the events.

Timeline of M.E.Doc server hobby and NotPetya assaults

According to ESET, the TeleBots (NotPetya) group burned a treasured resource (M.E.Doc infrastructure) once they accomplished the NotPetya ransomware outbreak. The backdoor module inserted inside the tainted M.E.Doc software program had the capability to accumulate a unique ID that every organization entered of their M.E.Doc software program settings panel. This ID is a financial code unique for each Ukrainian enterprise. In this manner that the TeleBots/NotPetya team may want to have used this backdoor module to target any Ukrainian commercial enterprise that used M.E.Doc to manage their budget.

Police raids stopped another wave of cyber-attacks. All this ended while Ukrainian police stormed in pressure on Tuesday and seized the M.E.Doc server system. Initially, Intellect Service had presented to assist the government with the research, but on Tuesday, Ukrainian officials instructed The Associated Press they detected another cyber-attack coming from M.E.Doc’s infrastructure. This 2nd attack became pronounced on Facebook via Ukraine’s Interior Minister Arsen Avakov and became additionally visible by impartial protection researchers. Below is a YouTube video posted via Ukrainian police documenting the Intellect Service raid.

With the M.E.Doc servers down, Bleeping Computer became instructed that most Ukrainian companies are now sharing older variations of the M.E.Doc software via Google Drive hyperlinks. The software furnished through Intellect Service is so crucial to Ukrainian agencies that even after the NotPetya outbreak, many companies can’t manage their price range without it, despite the looming danger of some other incident.

Because of the way the software is currently shared among a few users, Ukrainian organizations are now exposing themselves to even greater dangerous threats, together with putting in boobytrapped M.E.Doc variations from unofficial sources like Dropbox or Google Drive.

Related posts

Administrator: More body of workers, new software program could resource economic controls

Brooke Cain

New Video Shows Dramatic Raid of Software Firm Linked to NotPetya Attack

Brooke Cain

The Best Software in the World – How to Get it

Brooke Cain