Doctor Web: MEDoc contains a backdoor giving attackers access to a computer
Analysts from Doctor Web investigated the MEDoc update module and found its involvement in the spread of at least one more malicious program. We remind you that, according to independent researchers, the source of the recent epidemic of the cipher worm Trojan.Encoder.12544, also known as NePetya, Petya.A, ExPetya and WannaCry-2, was the update module of the popular in Ukraine program for tax reporting Medoc.
Reports claim that the initial spread of the Trojan.Encoder.12544 worm was carried out through the popular MEDoc application developed by the Ukrainian company Intellect Service. In one of the modules of the MEDoc update system called ZvitPublishedObjects.Server.MeCom, Dr. Web analytics virus analysts found an entry corresponding to the characteristic Windows registry key: HKCU \ SOFTWARE \ WC.
The Doctor Web specialists noticed this registry key due to the fact that the Trojan cryptographer Trojan.Encoder.12703 uses the same path in its work. Analysis of the Dr.Web anti-virus log received from the computer of one of our clients showed that the encoder Trojan.Encoder.12703 was launched on an infected machine by ProgramData \ Medoc \ Medoc \ ezvit.exe, which is a component of the MEDoc program:
')
The ZvitPublishedObjects.dll file requested from the infected machine had the same hash as the sample examined in the Doctor Web virus lab. Thus, our analysts have come to the conclusion that the MEDoc update module, implemented as a ZvitPublishedObjects.dll dynamic library, contains a backdoor. Further research has shown that this backdoor can perform the following functions in an infected system:
The following code snippet of the MEDoc update module looks very interesting - it allows you to start the payload using the rundll32.exe utility with the parameter # 1:
It was in this way that a cipher Trojan known as NePetya, Petya.A, ExPetya and WannaCry-2 (Trojan.Encoder.12544) was launched on the victim’s computers.
In one of their interviews, which was published on the Reuters agency website, the developers of the MEDoc program stated that the application they created does not contain any malicious functions. Based on this, and also taking into account the data of static code analysis, the virus analysts of Doctor Web came to the conclusion that some unidentified attackers infected one of the MEDoc components with a malicious program. This component has been added to Dr.Web virus databases under the name BackDoor.Medoc.
→ More about Trojan
PS In Ukraine, the servers were seized from the company that spread the Petya virus.
Reports claim that the initial spread of the Trojan.Encoder.12544 worm was carried out through the popular MEDoc application developed by the Ukrainian company Intellect Service. In one of the modules of the MEDoc update system called ZvitPublishedObjects.Server.MeCom, Dr. Web analytics virus analysts found an entry corresponding to the characteristic Windows registry key: HKCU \ SOFTWARE \ WC.
The Doctor Web specialists noticed this registry key due to the fact that the Trojan cryptographer Trojan.Encoder.12703 uses the same path in its work. Analysis of the Dr.Web anti-virus log received from the computer of one of our clients showed that the encoder Trojan.Encoder.12703 was launched on an infected machine by ProgramData \ Medoc \ Medoc \ ezvit.exe, which is a component of the MEDoc program:
')
id: 425036, timestamp: 15:41:42.606, type: PsCreate (16), flags: 1 (wait: 1), cid: 1184/5796:\Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe
source context: start addr: 0x7fef06cbeb4, image: 0x7fef05e0000:\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
created process: \Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe:1184 --> \Device\HarddiskVolume3\Windows\System32\cmd.exe:6328
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: "cmd.exe" /c %temp%\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18o EJeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6 UGTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad9 2ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvD X0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
status: signed_microsoft, script_vm, spc / signed_microsoft / clean
id: 425036 ==> allowed [2], time: 0.285438 ms
2017-Jun-27 15:41:42.626500 [7608] [INF] [4480] [arkdll]
id: 425037, timestamp: 15:41:42.626, type: PsCreate (16), flags: 1 (wait: 1), cid: 692/2996:\Device\HarddiskVolume3\Windows\System32\csrss.exe
source context: start addr: 0x7fefcfc4c7c, image: 0x7fefcfc0000:\Device\HarddiskVolume3\Windows\System32\csrsrv.dll
created process: \Device\HarddiskVolume3\Windows\System32\csrss.exe:692 --> \Device\HarddiskVolume3\Windows\System32\conhost.exe:7144
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0
curdir: C:\windows\system32\, cmd: \??\C:\windows\system32\conhost.exe "1955116396976855329-15661177171169773728-1552245407-149017856018122784351593218185"
status: signed_microsoft, spc / signed_microsoft / clean
id: 425037 ==> allowed [2], time: 0.270931 ms
2017-Jun-27 15:41:43.854500 [7608] [INF] [4480] [arkdll]
id: 425045, timestamp: 15:41:43.782, type: PsCreate (16), flags: 1 (wait: 1), cid: 1340/1612:\Device\HarddiskVolume3\Windows\System32\cmd.exe
source context: start addr: 0x4a1f90b4, image: 0x4a1f0000:\Device\HarddiskVolume3\Windows\System32\cmd.exe
created process: \Device\HarddiskVolume3\Windows\System32\cmd.exe:1340 --> \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\wc.exe:3648
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: C:\Users\user\AppData\Local\Temp\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18oE JeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6U GTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad92 ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvDX 0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
fileinfo: size: 3880448, easize: 0, attr: 0x2020, buildtime: 01.01.2016 02:25:26.000, ctime: 27.06.2017 15:41:42.196, atime: 27.06.2017 15:41:42.196, mtime: 27.06.2017 15:41:42.196, descr: wc, ver: 1.0.0.0, company: , oname: wc.exe
hash: 7716a209006baa90227046e998b004468af2b1d6 status: unsigned, pe32, new_pe / unsigned / unknown
id: 425045 ==> undefined [1], time: 54.639770 msThe ZvitPublishedObjects.dll file requested from the infected machine had the same hash as the sample examined in the Doctor Web virus lab. Thus, our analysts have come to the conclusion that the MEDoc update module, implemented as a ZvitPublishedObjects.dll dynamic library, contains a backdoor. Further research has shown that this backdoor can perform the following functions in an infected system:
- collection of data for access to mail servers;
- execute arbitrary commands in the infected system;
- upload arbitrary files to the infected computer;
- download, save and run any executable files;
- upload arbitrary files to a remote server.
The following code snippet of the MEDoc update module looks very interesting - it allows you to start the payload using the rundll32.exe utility with the parameter # 1:
It was in this way that a cipher Trojan known as NePetya, Petya.A, ExPetya and WannaCry-2 (Trojan.Encoder.12544) was launched on the victim’s computers.
In one of their interviews, which was published on the Reuters agency website, the developers of the MEDoc program stated that the application they created does not contain any malicious functions. Based on this, and also taking into account the data of static code analysis, the virus analysts of Doctor Web came to the conclusion that some unidentified attackers infected one of the MEDoc components with a malicious program. This component has been added to Dr.Web virus databases under the name BackDoor.Medoc.
→ More about Trojan
PS In Ukraine, the servers were seized from the company that spread the Petya virus.
Source: https://habr.com/ru/post/332444/
All Articles