Analysis of the backdoor group TeleBots
On June 27, companies in Ukraine and other countries became victims of a large-scale cyber attack by the coder DiskCoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). Malware disguised as a regular extortioner - encrypts data and requires a ransom for the decryption key. But, since the authors seek to inflict maximum damage, the chances of data recovery are minimized.
In the last report, we pointed out the connection of DiskCoder.C epidemic with the TeleBots cyber group and other attacks on Ukrainian companies. In this article we will reveal the details about the initial vector of infection.
The Cyber ​​Police Department of the National Police of Ukraine confirmed the information from ESET and other anti-virus vendors that the legitimate MEDoc software was used by attackers to launch DiskCoder.C at the initial stage of the attack. However, until now there were no details on how this operation was implemented.
')
In the course of our research, we discovered a complex hidden backdoor embedded in one of the legitimate modules of MEDoc. It is unlikely that the attackers did this without having access to the source code of MEDoc.
The file name of the backdoor module is
We studied all MEDoc updates released in 2017, and found that at least three updates contained a backdoor module:
Check the dates. The attack with Win32 / Filecoder.AESNI.C (XData) began three days after the update 10.01.180-10.01.181; DiskCoder.C - five days after the update of 10.01.188–10.01.189. Four updates in the period from April 24 to May 10 and seven - from May 17 to June 21 did not contain a malicious module.
An interesting point is connected with the encoder AESNI.C. The MEDoc update of May 15 contained a backdoor, and the following, of May 17, did not. Perhaps this is due to a relatively small number of infections - the attackers launched the encryptor on May 18, when most MEDoc users have already installed a secure update.
The timestamps of the studied files suggest that they were compiled on the same day or the day before.
Figure 1. The timestamp of the update module compilation with backdoor, released on May 15th.
Figure 2 shows the differences between the class list of
Figure 2. List of module classes with backdoor (left) and without (right).
The class containing the main backdoor is called
Figure 3. The MeCom class with malicious code, as shown in ILSpy .NET Decompiler.
The methods of the MeCom class are called from the
Each Ukrainian company is assigned a legal entity identifier - a code according to the EDRPOU (Unified State Register of Enterprises and Organizations of Ukraine). This is useful for attackers - by code you can identify the organization using the MEDoc version with backdoor. Next, attackers can use various tactics to work with its network - it all depends on the goals.
Since MEDoc is used for accounting, it can be assumed that EDRPOU codes will be found on the machines on which this software is installed. Malicious code injected into the
Figure 4. Code collecting codes.
In addition to the EDRPOU codes, the backdoor from the MEDoc application collects information about the proxy and mail service settings, including logins and passwords.
Attention! ESET recommends that all MEDoc users change their passwords for proxy servers and email accounts.
The malicious code writes information collected to the Windows registry under the key
And the most interesting part. The backdoor does not use external servers as C & C, their role is performed by MEDoc requests to its official server upd.me-doc.com [.] Ua to check for updates. The only difference from the legitimate request is that the backdoor sends the collected information to the cookie.
Figure 5. HTTP backdoor request that contains EDMER codes in cookies.
We did not perform a retrospective analysis of the MEDoc server. However, as we reported in the last report, there are signs that he was compromised. Therefore, we assume that the attackers used the server software, which allowed us to distinguish requests from compromised and clean machines.
Figure 6. Backdoor code that adds cookies to the request.
Of course, the authors of the backdoor provided the ability to control the infected machine. The code gets a binary blob from the official MEDoc server, decrypts it using the Triple DES algorithm, and then unpacks it using GZip. The result is an XML file that can contain several commands at once. The ability to remote control turns the backdoor into a fully functional platform for cyber espionage and sabotage.
Figure 7. The backdoor code decrypts incoming operator commands.
The table below shows the possible commands:
It is worth noting that the team 5, named by the authors of Malvar AutoPayload, fully corresponds to how DiskCoder.C was launched on “zero patients” - the machines that started the network infection.
Figure 8. The AutoPayload function was used to execute DiskCoder.C.
As the study shows, the operation was carefully planned and implemented. We assume that attackers had access to the source code of the MEDoc application. They had time to study the code and embed a hidden complex backdoor in it. The size of the MEDoc application is about 1.5 GB, and we haven’t yet had enough time to check if there are any other backdoors in it.
We still have to answer a number of questions. How long has the backdoor been used? What commands and malware, in addition to DiskCoder.C and AESNI.C, were sent through this channel? What other infrastructures have been compromised, but not yet used by the cyber group behind this attack?
Thanks for the help of colleagues Frédéric Vachon and Thomas Dupuy.
Detection by ESET products:
Legitimate server used by malware authors:
Registry key:
SHA-1 hashes:
In the last report, we pointed out the connection of DiskCoder.C epidemic with the TeleBots cyber group and other attacks on Ukrainian companies. In this article we will reveal the details about the initial vector of infection.
The story of malicious updates
The Cyber ​​Police Department of the National Police of Ukraine confirmed the information from ESET and other anti-virus vendors that the legitimate MEDoc software was used by attackers to launch DiskCoder.C at the initial stage of the attack. However, until now there were no details on how this operation was implemented.
')
In the course of our research, we discovered a complex hidden backdoor embedded in one of the legitimate modules of MEDoc. It is unlikely that the attackers did this without having access to the source code of MEDoc.
The file name of the backdoor module is
ZvitPublishedObjects.dll . It is written using the .NET Framework. This file is 5 MB in size and contains legitimate code that can be called by other components, including the main executable file MEDoc ezvit.exe .We studied all MEDoc updates released in 2017, and found that at least three updates contained a backdoor module:
- 10.01.175-10.01.176 of April 14
- 10.01.180-10.01.181 of May 15
- 10.01.188-10.01.189 of June 22
Check the dates. The attack with Win32 / Filecoder.AESNI.C (XData) began three days after the update 10.01.180-10.01.181; DiskCoder.C - five days after the update of 10.01.188–10.01.189. Four updates in the period from April 24 to May 10 and seven - from May 17 to June 21 did not contain a malicious module.
An interesting point is connected with the encoder AESNI.C. The MEDoc update of May 15 contained a backdoor, and the following, of May 17, did not. Perhaps this is due to a relatively small number of infections - the attackers launched the encryptor on May 18, when most MEDoc users have already installed a secure update.
The timestamps of the studied files suggest that they were compiled on the same day or the day before.
Figure 1. The timestamp of the update module compilation with backdoor, released on May 15th.
Figure 2 shows the differences between the class list of
ZvitPublishedObjects.dll module ZvitPublishedObjects.dll with and without backdoor, using the ILSpy .NET Decompiler.Figure 2. List of module classes with backdoor (left) and without (right).
The class containing the main backdoor is called
MeCom , it is located in the ZvitPublishedObjects.Server namespace.Figure 3. The MeCom class with malicious code, as shown in ILSpy .NET Decompiler.
The methods of the MeCom class are called from the
IsNewUpdate method in the UpdaterUtils and ZvitPublishedObjects.Server . The IsNewUpdate method IsNewUpdate called periodically to check if an update is available. The module with backdoor of May 15 is implemented a little differently and has fewer functions than the module of June 22.Each Ukrainian company is assigned a legal entity identifier - a code according to the EDRPOU (Unified State Register of Enterprises and Organizations of Ukraine). This is useful for attackers - by code you can identify the organization using the MEDoc version with backdoor. Next, attackers can use various tactics to work with its network - it all depends on the goals.
Since MEDoc is used for accounting, it can be assumed that EDRPOU codes will be found on the machines on which this software is installed. Malicious code injected into the
IsNewUpdate method collects codes from the application. One account in MEDoc can be used for accounting of several organizations, therefore the backdoor code collects all possible EDRPOU codes.Figure 4. Code collecting codes.
In addition to the EDRPOU codes, the backdoor from the MEDoc application collects information about the proxy and mail service settings, including logins and passwords.
Attention! ESET recommends that all MEDoc users change their passwords for proxy servers and email accounts.
The malicious code writes information collected to the Windows registry under the key
HKEY_CURRENT_USER\SOFTWARE\WC using the values ​​of the values Cred and Prx . If these values ​​exist on the computer, it is likely that a backdoor visited it.And the most interesting part. The backdoor does not use external servers as C & C, their role is performed by MEDoc requests to its official server upd.me-doc.com [.] Ua to check for updates. The only difference from the legitimate request is that the backdoor sends the collected information to the cookie.
Figure 5. HTTP backdoor request that contains EDMER codes in cookies.
We did not perform a retrospective analysis of the MEDoc server. However, as we reported in the last report, there are signs that he was compromised. Therefore, we assume that the attackers used the server software, which allowed us to distinguish requests from compromised and clean machines.
Figure 6. Backdoor code that adds cookies to the request.
Of course, the authors of the backdoor provided the ability to control the infected machine. The code gets a binary blob from the official MEDoc server, decrypts it using the Triple DES algorithm, and then unpacks it using GZip. The result is an XML file that can contain several commands at once. The ability to remote control turns the backdoor into a fully functional platform for cyber espionage and sabotage.
Figure 7. The backdoor code decrypts incoming operator commands.
The table below shows the possible commands:
It is worth noting that the team 5, named by the authors of Malvar AutoPayload, fully corresponds to how DiskCoder.C was launched on “zero patients” - the machines that started the network infection.
Figure 8. The AutoPayload function was used to execute DiskCoder.C.
findings
As the study shows, the operation was carefully planned and implemented. We assume that attackers had access to the source code of the MEDoc application. They had time to study the code and embed a hidden complex backdoor in it. The size of the MEDoc application is about 1.5 GB, and we haven’t yet had enough time to check if there are any other backdoors in it.
We still have to answer a number of questions. How long has the backdoor been used? What commands and malware, in addition to DiskCoder.C and AESNI.C, were sent through this channel? What other infrastructures have been compromised, but not yet used by the cyber group behind this attack?
Thanks for the help of colleagues Frédéric Vachon and Thomas Dupuy.
Infection Indicators (IoC)
Detection by ESET products:
MSIL/TeleDoor.ALegitimate server used by malware authors:
upd.me-doc.com[.]uaRegistry key:
HKEY_CURRENT_USER\SOFTWARE\WCSHA-1 hashes:
7B051E7E7A82F07873FA360958ACC6492E4385DD
7F3B1C56C180369AE7891483675BEC61F3182F27
3567434E2E49358E8210674641A20B147E0BD23CSource: https://habr.com/ru/post/332472/
All Articles