M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013


Servers and infrastructure belonging to Intellect Service, the business enterprise in the back of the M.E.Doc accounting software program, had been grossly mismanaged, being left with out updates on account that 2013, and getting backdoored on three separate events throughout the beyond three months.


The records come from several security researchers which have analyzed the servers, however additionally from Ukrainian authorities, who on Tuesday, two days ago, seized the company’s servers.

Attackers won get entry to M.E.Doc thru worker login
One of the maximum credible resources for this records is Cisco, who despatched on-the-floor professionals to research the M.E.Doc servers, the origin point of the NotPetya ransomware outbreak.

In a document released final night time, Cisco experts say that the NotPetya institution — suspected to be a cyber-espionage institution named TeleBots — had infiltrated the company’s infrastructure by means of having access to an employee’s credentials.



Cisco says the NotPetya gang used those credentials to embed a backdoor inside the M.E.Doc software package deal, but additionally, place a PHP web shell on the business enterprise’s net server.

NotPetya organization inserts backdoor in M.E.Doc software


Related Articles : 

The M.E.Doc software program backdoor was hidden in a file named “ZvitPublishedObjects.Dll,” part of the M.E.Doc software program installation/replace bundle. ESET has an in-depth file on how this backdoor works.

Both ESET and Cisco showed that the TeleBots crew shipped this backdoor a part of three M.E.Doc software updates, on 3 separate events.

M.E.Doc model 01.A hundred seventy five-10.01.176, released on 14th of April 2017
M.E.Doc model 01.180-10.01.181, launched on 15th of May 2017
M.E.Doc version 01.188-10.01.189, released on twenty second of June 2017
The backdoor inside the code allowed attackers to execute code on computers where M.E.Doc became set up, that’s how they sent the NotPetya ransomware to customers and corporations that set up these boobytrapped updates.

The first of those tainted M.E.Doc software updates appear to were a take a look at, while the second and 1/3 were used to push the XData and NotPetya ransomware.

Backdoor changed into very state-of-the-art, surprisingly stealthy
According to ESET researcher Anton Cherepanov, the backdoor is very state-of-the-art and used a few creative hints. For example, the backdoor did not speak with an outside command-and-manipulate server.

The TeleBots (NotPetya) institution hosted their C&C server right on Intellect Service’s M.E.Doc update server at upd.Me-doc.Com[.]ua. Furthermore, all communications with those servers were disguised as everyday cookies.

This allowed the group to cover any malicious operations as legitimate site visitors that would have by no means caught the attention of any researcher.

M.E.Doc server remaining up to date in February 2013
This become viable due to the fact the M.E.Doc software program replace mechanism ran on a woefully insecure server. A blog publish from Fujitsu’ UK team lists a series of inclined structures that ran at the server, inclusive of old OpenSSH, net server, and FTP software.





Dmytro Shymkiv, the Deputy Head of the Presidential Administration of Ukraine, instructed Reuters the day before today that Intellect Service had no longer installed any updates on the affected servers seeing that February 2013.

The lack of a nicely secured server allowed the TeleBots group to put in a PHP document named medoc_online.Php, which received or sent instructions from/to the backdoor inserted inside the M.E.Doc software program client.

PHP web shell on M.E.Doc update server
PHP web shell on M.E.Doc replace server
According to Cisco, all through the NotPetya outbreak, this file relayed site visitors to an OVH server controlled remotely from a Latvian IP.

Connections to the OVH server started out and ended within the equal time-frame as the NotPetya ransomware outbreak. Below is an infographic supplied by using Cisco detailing the events.

Timeline of M.E.Doc server hobby and NotPetya assaults

According to ESET, the TeleBots (NotPetya) group burned a treasured resource (M.E.Doc infrastructure) once they accomplished the NotPetya ransomware outbreak.

The backdoor module inserted inside the tainted M.E.Doc software program had the capability to accumulate a completely unique ID that every organization entered of their M.E.Doc software program settings panel. This ID is a financial code unique for each Ukrainian enterprise. This manner that the TeleBots/NotPetya team may want to have used this backdoor module to target any Ukrainian commercial enterprise that used M.E.Doc to manage their budget.

Police raid stopped another wave of cyber-attacks
All this ended while Ukrainian police stormed in pressure on Tuesday and seized M.E.Doc server system.

Initially, Intellect Service had presented to assist the government with the research, but on Tuesday, Ukrainian officials instructed The Associated Press they detected another cyber-attack coming from M.E.Doc’s infrastructure.

This 2nd attack becomes pronounced on Facebook via Ukraine’s Interior Minister Arsen Avakov and became additionally visible by impartial protection researchers.

Below is a YouTube video posted via Ukrainian police documenting the Intellect Service raid.


With the M.E.Doc servers down, Bleeping Computer became instructed that most Ukrainian companies are now sharing older variations of the M.E.Doc software via Google Drive hyperlinks. The software furnished through Intellect Service is so crucial to Ukrainian agencies that even after the NotPetya outbreak, many companies can’t manage their price range without it, in spite of the looming danger of some other incident.

Because of the way the software is currently shared among a few users, Ukrainian organizations are now exposing themselves to even greater dangerous threats, together with putting in boobytrapped M.E.Doc variations from unofficial sources like Dropbox or Google Drive.

Related posts

NCR software at the back of Swiss banks’ ATMfutura challenge

Brooke Cain

Trump administration limits government use of Kaspersky Lab software program

Brooke Cain

New Video Shows Dramatic Raid of Software Firm Linked to NotPetya Attack

Brooke Cain