Anti-Malware , Ransomware , Technology

NotPetya Patient Zero: Ukrainian Accounting Software Vendor

Backdoored Software Facilitated Malware Attack, ESET Finds
NotPetya Patient Zero: Ukrainian Accounting Software Vendor

Want to launch a targeted attack designed to infect large numbers of PCs in a specific country? Then target a specific software application used by 80 percent of all businesses in the nation.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

To wit: There's increasing evidence that the outbreak of NotPetya - aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C - that began June 27 was facilitated by attackers gaining access to the source code of a widely used accountancy and bookkeeping package called M.E. Doc, which counts 400,000 clients.

In addition, a backdoor in the same software may have also been used in May to distribute a strain of apparent ransomware called XData, aka AESNI.C.

That's according to an analysis published Tuesday by Slovakian security firm ESET, which has been reviewing software updates released by M.E. Doc.

Ukrainian police and multiple security firms - including Cisco Talos, Microsoft and Symantec - have also traced the NotPetya outbreak to M.E. Doc, although it had been unclear if the attack might have been distributed directly via the software vendor's update servers. In addition, the M.E. Doc software provides messaging capabilities, which in theory could have been used to facilitate phishing attacks. But there are no reports of such attacks.

Vendor Denies Spreading Virus

Intellect Service, which develops M.E. Doc - used by 80 percent of businesses in Ukraine - has issued seemingly conflicting statements about the NotPetya outbreak, and its potential role therein:

  • On June 27, M.E. Doc said that reports that its software had been used to disseminate the malware were "clearly erroneous," claiming that it maintained rigorous code-quality checks.
  • On June 28, M.E. Doc issued a statement on its website - since deleted - saying that it was under attack.
  • On June 29, the firm said it was working with police to investigate the matter, and that it had brought in an incident response team from Cisco.

Olesya Linnik, managing partner at Intellect Service, has since denied reports that her firm somehow spread NotPetya. "The cyber police are currently bogged down in the investigation, we gave them the logs of all our servers and there are no traces that our servers spread this virus," she told Reuters on Monday.

Attackers Accessed Backdoor

Research by ESET, however, suggests that what she says is correct, in that her firm's servers did not directly distribute the NotPetya malicious code.

Instead, the M.E. Doc software was backdoored, so that after customers received the updated software, attackers could use the backdoor to remotely access the user's systems, says Anton Cherepanov, a malware researcher at ESET, in a blog post.

List of classes in backdoored module, on left, versus non-backdoored module on right. (Source: ESET)

The security firm has so far found that three M.E. Doc software updates - dated April 14, May 15 and June 22 - contained "a very stealthy and cunning backdoor that was injected by attackers into one of M.E. Doc's legitimate modules," Cherepanov says.

"It seems very unlikely that attackers could do this without access to M.E. Doc's source code," adds Cherepanov, who's analyzed a number of campaigns that used TeleBots and BlackEnergy malicious toolsets, and who's found commonalities between those toolsets and NotPetya.

A module refers to a block of code that offers discrete functionality that can be called by the rest of the code. By adding a backdoor to the software, it meant attackers could later remotely access any installation of that software, for example to instruct it to download and execute malicious code. In theory, attackers could have also installed other software, such as keyloggers; used the backdoor to push attack code designed to find and infect more high-value systems; and exfiltrated data.

ESET says there may be more than the three backdoors it discovered, saying it has not exhaustively analyzed the full M.E. Doc installation, which is about 1.5 GB in size.

Extra Points for Elegance

Whoever ran the NotPetya campaign - Ukraine quickly blamed Russia, but independent security experts say it's too soon to draw conclusions - gets points for elegance.

That's because every organization that does business in Ukraine has a unique legal entity identifier, called an ERDPOU code, which is reflected in every M.E. Doc software installation. ESET says that beyond the backdoor, attackers also injected code that cataloged ERDPOU numbers in installed versions of the application, then relayed this information back to Intellect Service's servers via innocuous-looking cookies.

HTTP request from a backdoored M.E. Doc module that contains a victim's EDRPOU number in cookies. (Source: ESET)

"This is extremely important for the attackers: having the EDRPOU number, they could identify the exact organization that is now using the backdoored M.E. Doc," Cherepanov says. "Once such an organization is identified, attackers could then use various tactics against the computer network of the organization, depending on the attackers' goal(s)."

Furthermore, M.E. Doc is one of only two accountancy software packages approved for filing taxes by the Ukrainian government. The software is reportedly used by 80 percent of Ukrainian firms.

Updates Correspond With Outbreaks

Security researchers say NotPetya is one of four apparent ransomware campaigns to have recently hit Ukraine. The malware strains were XData, which looked like AES-NI; PSCrypt, based on Globe Imposter Ransomware; NotPetya, based on Petya; as well as a WannaCry lookalike.

ESET's Cherepanov says two of those attacks were launched just days after a backdoored M.E. Doc update was released. The NotPetya outbreak, for example, happened five days after the backdoored June 22 update. And the XData outbreak happened three days after the backdoored May 15 update.

Unlike NotPetya, XData - aka AESNI.C - infected relatively few systems. But Cherepanov says that after the release of the backdoored May 15 update, M.E. Doc pushed a May 17 update that no longer contained the backdoor. He suspects the May 17 update caught attackers by surprise. "They pushed the ransomware on May 18th" - to versions of M.E. Doc that still had the backdoor - "but the majority of M.E. Doc users no longer had the backdoored module as they had updated already," he says.

What is not clear is how M.E. Doc might have expunged the backdoored code from its development systems, and whether it detected signs that the code had been tampered with.

Ukrainian police have said the company could face criminal charges if it detected related attacks but failed to take them seriously (see Police in Ukraine Blame Russia for NotPetya).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network