M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013

Servers and infrastructure belonging to Intellect Service, the business enterprise in the back of the M.E.Doc accounting software program, had been grossly mismanaged, being left without updates on account in 2013 and getting backdoored on three separate events over the three months.


The records come from several security researchers who have analyzed the servers, but also from Ukrainian authorities, who seized the company two days ago on Tuesday.

Company’s won get entry to M.E.Doc thru worker login. One of the maximum credible resources for this record is Cisco, who despatched on-the-floor professionals to research the M.E.Doc servers, the origin point of the NotPetya ransomware outbreak.

In a document released last night, Cisco experts say that the NotPetya institution — suspected to be a cyber-espionage institution named TeleBots — had infiltrated the company’s infrastrucompany’saccessing an employee’s credentiemployee says NotPetya gang used those credentials to embed a backdoor inside the M.E.Doc software package deal but additionally place a PHP web shell on the business enterprise’s net seenterprise’sya organization inserts a backdoor in M.E.Doc software.

Related Articles : 

The M.E.Doc software program backdoor was hidden in a file named “ZvitPublishedObjec”s.Dll,” part of the M.E.D”c software program installation/replacement bundle. ESET has an in-depth file on how this backdoor works.

ESET and Cisco showed that the TeleBots crew shipped this backdoor as part of three M.E.Doc software updates on three separate events. M.E.Doc model 01. A hundred seventy-five-10.01.176, released on 14th of April 2017 M.E.Doc model 01.180-10.01.181, launched on 15th of May 2017 M.E.Doc version 01.188-10.01.189, released on the twenty-second of June 2017. The backdoor inside the code allowed attackers to execute code on computers where M.E.Doc became set up; that’s how they senthat’sNotPetya ransomware to customers and corporations that set up these booby-trapped updates.

The first of those tainted M.E.Doc software updates appear to be a look at, while the second and 1/3 were used to push the XData and NotPetya ransomware. Backdoor changed into very state-of-the-art, surprisingly stealth, according to ESET researcher Anton Cherepanov; the backdoor is very state-of-the-art and used a few creative hints. For example, the backdoor did not speak with an outside command-and-manipulate server.

The TeleBots (NotPetya) institution hosted their C&C server on Intellect Service’s M.E.Doc uService’sver at up.Me-doc.Com[.]ua. Furthermore, all communications with those servers were disguised as everyday cookies. This allowed the group to cover any malicious operations as legitimate site visitors that would have by no means caught the attention of any researcher.

M.E.Doc server remaining up to date in February 2013

This becomes viable because the M.E.Doc software program replaces the mechanism run on a woefully insecure server. A blog published by Fujitsu’s UK team, lFujitsu’sries of inclined structures that ran at the server, inclusive of old OpenSSH, net server, and FTP software.


Dmytro Shymkiv, the Deputy Head of the Presidential Administration of Ukraine, instructed Reuters the day before today that Intellect Service had no longer installed any updates on the affected servers seeing that February 2013. The lack of a nicely secured server allowed the TeleBots group to put in a PHP document named medoc_online.Php, which received or sent instructions from/to the backdoor inserted inside the M.E.Doc software program client.

PHP web shell on M.E.Doc update server

According to Cisco, all through the NotPetya outbreak, this file relayed site visitors to an OVH server controlled remotely from a Latvian IP. Connections to the OVH server started and ended within the equal time frame as the NotPetya ransomware outbreak. Below is an infographic supplied by using Cisco detailing the events.

Timeline of M.E.Doc server Hobby and NotPetya assaults

According to ESET, the TeleBots (NotPetya) group burned a treasured resource (M.E.Doc infrastructure) once they accomplished the NotPetya ransomware outbreak. The backdoor module inserted inside the tainted M.E.Doc software program could accumulate a unique ID that every organization entered into their M.E.Doc software program settings panel. This ID is a financial code unique to each Ukrainian enterprise. In this manner that the TeleBots/NotPetya team may want to have used this backdoor module to target any Ukrainian commercial enterprise that used M.E.Doc to manage their budget.

Police raids stopped another wave of cyber-attacks. All this ended while Ukrainian police stormed under pressure on Tuesday and seized the M.E.Doc server system. Initially, Intellect Service had presented to assist the government with the research. Still, on Tuesday, Ukrainian officials instructed The Associated Press they detected another cyber-attack coming from M.E.Doc’s infrastruM.E.Doc’sis 2nd attack was pronounced on Facebook via Ukraine’s Interior Ukraine’sArsen Avakov and became additionally visible by impartial protection researchers. Below is a YouTube video posted via Ukrainian police documenting the Intellect Service raid.

With the M.E.Doc servers down, Bleeping Computer became instructed that most Ukrainian companies are now sharing older variations of the M.E.Doc software via Google Drive hyperlinks. The software furnished through Intellect Service is so crucial to Ukrainian agencies that even after the NotPetya outbreak, many companies can’t manage their can’t range without it, despite the looming danger of some other incident.

Because the software is currently shared among a few users, Ukrainian organizations are exposing themselves to even greater dangerous threats, putting in booby-trapped M.E.Doc variations from unofficial sources like Dropbox or Google Drive.

Related posts

Software Development Life Cycle

Brooke Cain

Administrator: More body of workers, new software program could resource economic controls

Brooke Cain

Screen Capture & Video Recording Software

Brooke Cain