NotPetya – infection by legitimate auto-update

It seems the malware NotPetya, which infected mainly computer in Ukraine recently, was spread by a regular software update. As reported previously, the option to decrypt data is only “simulated” – a real decryption is not possible.

Backdoor in .NET

According to an analysis by ESET the tax software M.E.Doc – a popular tax software in Ukraine – was used to spread DiscCoder.C – the actual malware. M.E.Doc got abackdoor, the file name has been identified as ZvitPublishedObjects.dll. This is a 5 MB file contaiing a non-critical backdoor code written in .NET. M.E.Doc itself periodically checks for software updates and installed them, depending on the setting automatically or after confirmation of the user. Because the malware in an official M.E.Doc update was introduced, there was no chance to detect the malware for an antivirus solution nor for a signature verification. Since the hack of the update software has been done very fast and undetected, it is assumed that the attackers had insight into the M.E.Doc source to learn their function and to create the backdoor. NotPetya was spread using that backdoor.

Accounts and passwords are insecure

Further analysis shows that NotPetya is obviously able to intercept or log user accounts and passwords. Going this way the malware can spread further, without direct or indirect intervention of the user. Besided exploits leaked by the NSA documents were used. Following this it is recommended for M.E.Doc users to change all passwords for all user accounts that are used. The analysis revealed that NotPetya unable, to decrypt the encrypted data. This software is not profit based, but more or less a data-extinguisher. Thus overwriting the data with an encrypted data version, a recovery is almost impossible – a pure delete, however, would be quite possible.

No malware – data wiper

This case shows that even when using legit software and only installing the official updates, it would not prevent you from being attacked by malware. It is believed that one of the servers from the M.E.Doc manufacturer has been compromised. However, this was done manually – the updates officially created by the manufacturer contained no backdoor. In a result, some users of the software in the NotPetya outbreak were not affected – one legit update did not contain the backdoor, but the next version did again.