Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak

The third-party software updater used to seed last week's NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack was carefully planned and executed.

Researchers from antivirus provider Eset, in a blog post published Tuesday, said the malware was spread through a legitimate update module of M.E.Doc, a tax-accounting application that's widely used in Ukraine. The report echoed findings reported earlier by Microsoft, Kaspersky Lab, Cisco Systems, and Bitdefender. Eset said a "stealthy and cunning backdoor" used to spread the worm probably required access the M.E.Doc source code. What's more, Eset said the underlying backdoored ZvitPublishedObjects.dll file was first pushed to M.E.Doc users on May 15, six weeks before the NotPetya outbreak.

"As our analysis shows, this is a thoroughly well-planned and well-executed operation," Anton Cherepanov, senior malware researcher for Eset, wrote. "We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors."

Researchers from Cisco Systems' Talos group, in their own blog post published Wednesday, reported a backdoored version of M.E.Doc was distributed in mid April, a month earlier than the one found by Eset. At the request of M.E.Doc developers, Talos employees traveled to Kiev, Ukraine to forensically analyze computers used the Intellect Service, the company that develops and markets the software. Among the things they found: a webshell that gave anyone with the underlying password access to the site. Talos also confirmed the backdoor built into the ZvitPublishedObjects update module.

Ukrainian police on Tuesday seized computers and software used by Intellect Service. A video published by the department's official YouTube account shows officers, at times armed with automatic weapons, entering company offices and asking unidentified employees questions. Ukrainian police also published this statement that warned that the backdoor may still be active. It advised all M.E.Doc users to immediately stop using the software and to turn off computers that have the application installed.

“Criminal responsibility”

Colonel Serhiy Demydiuk, the head of Ukraine’s national Cyberpolice unit, told the Associated Press that M.E.Doc developers will "face criminal responsibility" because they disregarded earlier warnings their IT infrastructure was insecure. Since last week's outbreak, the developers have issued a series of conflicting statements. At first, M.E.Doc said it initially suffered a server compromise, then the company said it wasn't involved in the outbreak, and it later said it was cooperating with the investigation.

In a separate article published Wednesday, the AP reported that Ukrainian officials said they thwarted a follow-on attack that was scheduled to take place on July 4, also using the M.E.Doc software as a starting point. "We prevented the initiation of the second wave of viruses," police spokesman Yaroslav Trakalo said in the video released Wednesday, the AP reported. Trakalo said investigators have already found "evidence of Russian presence on these servers," although he didn't elaborate.

Researchers are still investigating precisely how NotPetya initially took hold of computers and then spread from machine to machine inside infected networks. Almost immediately, many researchers suspected the M.E.Doc update mechanism was compromised and used to silently infect users with the malware. NotPetya used Windows exploits developed by and later stolen from the National Security Agency. It combined them with custom tools that collected passwords from infected computers used to share files inside local networks. As a result, the malware was able to spread with no user interaction, in many cases allowing one or more compromised computers in Ukrainian offices to infect company computers located in other regions of the world. The advanced spreader is an earlier piece of evidence showing the advanced planning and execution of the attackers.

Researchers have said NotPetya is unable to decrypt the hard drives it encrypts. The shortcoming, many researchers say, means NotPetya isn't financially motivated ransomware. Instead, it is the equivalent of a disk wiper with the objective of permanently destroying data. On Wednesday, researchers at antivirus-provider Kaspersky Lab added to the intrigue by saying that the M.E.Doc backdoor that spread NotPetya was used to distribute at least one other malicious program at the same time.

The newly reported malware takes pains to mimic the WCry ransomware that spread in May. It encrypts data and demands a ransom of about $260 to provide the decryption key. So far, the attackers have received at least $13,260. On Tuesday night, attackers behind NotPetya removed about $10,000 from the Bitcoin wallet that received ransoms for that malware. It's not clear what the relationship is between NotPetya and FakeCry, as Kaspersky Lab has dubbed the previously undocumented malware.