Wednesday, 5 July 2017

Comparing MEDoc backdoors in 176, 186, and 189 updates

To complement Anton Cherepanov's analysis of Telebot backdoor, I decided to compare the backdoor functionality of different MEDoc versions to figure out which my personal data might have been already leaked from the MEDoc installation I use now.

So far, three malicious updates of ZvitPublishedObjects.dll with the backdoor called TeleDoor on board have been detected by ESET:

  • 01.175-10.01.176, 14 April 2017 
  • 01.180-10.01.181, 15 May 2017
  • 01.188-10.01.189, 22 June 2017

These versions have different backdoor code resulting in various user's data might be stolen. The latest update 189 is now detected by 34 out of 60 antiviruses SHA-1: 3567434e2e49358e8210674641a20b147e0bd23c.

So, first, you need to know your current MEDoc version.  Mine is 185 that has no backdoor in the mentioned DLL.

However, it might be running the affected versions before for some time. So, which of my personal data could have been exfiltrated by the TeleBots group?

Backdoor commands

Let us start from the Backdoor commands. In versions 176 and 181, the Worker class of ZvitPublishedObjects.dll has commands numbered from '0' to '4'. And only the latest version has the extra command with the ordinal number '5' that calls AutoPayload() function which could be used to run NotPetya backdoor: 'rundll32.exe <dll name>, #1'. All of them are described in the Cherepanov's post, we only split the functions by versions.

#0: RunCmd() - runs a command in console specifying timeout up to 10 min;
#1: DumpData() - stores decoded data to the file;
#2: MinInfo() -  gets the following information: OS version, 32 or 64 bits, is admin or not, token, UAC info; in version 189: proxy and email configuration data including login and passwords.
#3: GetFile() - gets file from a user's computer;
#4: Payload() - dumps the data received from C&C server to the file and executes it;
#5: AutoPayload() - supposedly dumps and executes NotPetya wiper.

#5: AutoPayload() exists only in ver 189

In details, MEDoc receives the name of the DLL and the Base64-encoded DLL binary from the C&C server ( Then, MEDoc dumps DLL into the Windows folder under the specified name and executes.

Stolen data

The MeCom class contains the code responsible for retrieving information from your MEDoc environment and sending to C&C server in the form of Cookies.

In the version 176 and 181, TeleDoor sent only your Tax Id (Код ЄДРПОУ).

However, in version 189, your proxy and email setting including logins and passwords were sent as well. See the code of one of the MeCom constructors:

Proxy configuration:

Email configuration:

Proxy and Email settings are configured when setting up your MEDoc installation:

Your email account once compromised can be used in future targeted attacks, when a spear-phishing email with a trojan comes from a trusted email address, for example, in '' domain increasing chances for attackers to infect a target computer.

Conclusion and recommendations

If you are still running MEDoc software and were not infected with NotPetya locker, probably, you have MEDoc version lower than 189, and you should not be worried about stealing password for your email account and proxy server.

If you have MEDoc of version 189 or your computer have been encrypted and locked by NotPetya, you must change the email and proxy passwords.

I have MEDoc version 185 installed on my computer, but anyway:

  • I changed my email password for any case. because it is not possible to verify the full MEDoc code which is 1.5 Gb in size for the presence of other backdoor functions. 
  • I moved the MEDoc installation to the Windows virtual machine with NAT interface to run it in an isolated environment.
Morever, I think the accounting software like MEDoc that are used by the majority of enterprises in the country should be certified for being secured, similar to what has been done to security solutions. Such software MUST use HTTPS communication protocol and all PE files should be digitally signed.
The update servers MUST have advanced security protection including Demilitarized Zone, Intrusion Prevention Systems, Firewalls supplied with the latest threat intelligence data, and even Malware Sandbox with Multiscanner to verify all outgoing updates.

Contact us if you need to design a secure cloud/network architecture and deploy advanced security services based on open source products with threat intelligence support.

No comments:

Post a Comment