The story of cyber espionage behind pharmacies
Against the background of all these epidemics, cryptographers somehow lose their work — dangerous and difficult — of those backdoors who work quietly and seemingly not visible at first glance. And in vain! After all, updates are usually done only when the “house is already burning” - although it would seem, if you find a backdoor in time and close it, and not continue to pretend that everything is in order, situations like this can be avoided.
Well, what could be there. In the history of pharmacy cyber attacks there is a sequel.
The Doctor Web company responds to the allegations of the Spargo Technologies company and explains the revealed facts of industrial espionage at Russian pharmacies.
After Doctor Web published the results of an investigation into a targeted attack on many networks of Russian pharmacies and pharmaceutical companies using the BackDoor.Dande malicious program, a message was posted on the official website of Spargo Technologies Joint-Stock Company stating that DrWeb , violating the norms of business ethics, disseminates false and unreliable information about the content of viral files in the ePrica program. Doctor Web stands up for the namesake and helps Spargo Technologies understand the situation.
')
It should be noted, firstly, that Spargo Technologies, before publishing its appeal for additional information, did not apply to Doctor Web, and found it possible to blame us, while deliberately distorting the essence of the information we published.
Secondly, at the time when Doctor Web, in 2012, began its investigation, more than 2,800 pharmacies and Russian pharmaceutical companies were infected (according to our company's Virus Monitoring Service). By the way, complaints from our customers and have caused the start of the investigation. At the same time, the spyware module BackDoor.Dande.61 detected by Doctor Web specialists identifies 41 of the 63 antivirus software vendors represented on Virustotal as malicious software.
Thirdly, it is important to note that ePrica did not contain malicious files, respectively, Doctor Web, and could not write anything about it. ePrica is an application developed by Spargo Technologies, which allows pharmacy managers to analyze the prices for medicines and select the optimal supplier. The PriceCompareLoader.dll dynamic library used by this program has exported functions that run libraries in memory. PriceCompareLoader.dll is called from PriceComparePm.dll. This library is trying to download the payload from the site, decrypt it using the AES algorithm and run it from memory. The Trojan was downloaded from ws.eprica.ru , owned by Spargo Technologies, and intended to update the ePrica program. At the same time, the module that secretly downloaded the malicious program immediately into the computer’s memory had a valid digital signature “Spargo”, and it was this scheme of the hidden download of the malicious program that led to the need for such a lengthy investigation to determine the source of infection. The Trojan downloaded the commercial information stolen from infected computers to servers outside of Russia. In other words, as in the situation with Trojan.Encoder.12544, distributed via MEDoc, the backdoor was hidden in the program update module.
Fourthly, Spargo Technologies’s statements on the cleanliness and safety of the solutions produced in connection with the introduction of the ePrica program into the Unified Register of Russian programs are unfounded, since this registry is in no way connected with the security of software products. Commented Evgenia Vasilenko, Executive Director of the OTPP "Otechestvenniy Soft", a member of the Expert Council on the development of the information technology industry, an expert of the Interim Commission of the Council of the Federation on the development of the information society:
Thus, the information disseminated by Spargo Technologies regarding the guaranteed security of Spargo Technologies software only on the basis of its inclusion in the Unified Register of Russian software can mislead and misinform the customers of this company.
... and this is certainly not the end.
Well, what could be there. In the history of pharmacy cyber attacks there is a sequel.
The Doctor Web company responds to the allegations of the Spargo Technologies company and explains the revealed facts of industrial espionage at Russian pharmacies.
After Doctor Web published the results of an investigation into a targeted attack on many networks of Russian pharmacies and pharmaceutical companies using the BackDoor.Dande malicious program, a message was posted on the official website of Spargo Technologies Joint-Stock Company stating that DrWeb , violating the norms of business ethics, disseminates false and unreliable information about the content of viral files in the ePrica program. Doctor Web stands up for the namesake and helps Spargo Technologies understand the situation.
')
It should be noted, firstly, that Spargo Technologies, before publishing its appeal for additional information, did not apply to Doctor Web, and found it possible to blame us, while deliberately distorting the essence of the information we published.
Secondly, at the time when Doctor Web, in 2012, began its investigation, more than 2,800 pharmacies and Russian pharmaceutical companies were infected (according to our company's Virus Monitoring Service). By the way, complaints from our customers and have caused the start of the investigation. At the same time, the spyware module BackDoor.Dande.61 detected by Doctor Web specialists identifies 41 of the 63 antivirus software vendors represented on Virustotal as malicious software.
Thirdly, it is important to note that ePrica did not contain malicious files, respectively, Doctor Web, and could not write anything about it. ePrica is an application developed by Spargo Technologies, which allows pharmacy managers to analyze the prices for medicines and select the optimal supplier. The PriceCompareLoader.dll dynamic library used by this program has exported functions that run libraries in memory. PriceCompareLoader.dll is called from PriceComparePm.dll. This library is trying to download the payload from the site, decrypt it using the AES algorithm and run it from memory. The Trojan was downloaded from ws.eprica.ru , owned by Spargo Technologies, and intended to update the ePrica program. At the same time, the module that secretly downloaded the malicious program immediately into the computer’s memory had a valid digital signature “Spargo”, and it was this scheme of the hidden download of the malicious program that led to the need for such a lengthy investigation to determine the source of infection. The Trojan downloaded the commercial information stolen from infected computers to servers outside of Russia. In other words, as in the situation with Trojan.Encoder.12544, distributed via MEDoc, the backdoor was hidden in the program update module.
Fourthly, Spargo Technologies’s statements on the cleanliness and safety of the solutions produced in connection with the introduction of the ePrica program into the Unified Register of Russian programs are unfounded, since this registry is in no way connected with the security of software products. Commented Evgenia Vasilenko, Executive Director of the OTPP "Otechestvenniy Soft", a member of the Expert Council on the development of the information technology industry, an expert of the Interim Commission of the Council of the Federation on the development of the information society:
“When considering applications to the register of Russian computer programs and databases, the source code of the software is not requested. The applicant is entitled to provide source codes. But in any case, the software distribution kit is checked by experts for compliance with the criteria of Russian software, approved by law. First of all, the expert council checks the distribution kit for compliance with the declared classes of software, as well as for the absence of third-party components for which the applicant does not have exclusive rights.
The registry is a confirmation of the country of origin of the software. There are other certification and licensing procedures for software security issues. ”
Thus, the information disseminated by Spargo Technologies regarding the guaranteed security of Spargo Technologies software only on the basis of its inclusion in the Unified Register of Russian software can mislead and misinform the customers of this company.
... and this is certainly not the end.
Source: https://habr.com/ru/post/332780/
All Articles