An analysis of the attack using NotPetya

06 July 2017, 15:37 | Technologies 
фото с InternetUA

Security researcher Anton Cherepanov from ESET provided details on the initial attack vector NotPetya (Petya. A, ExPetr), which covered Ukraine on June 27 of the current year. According to the statements of law enforcement bodies of Ukraine and experts of ESET, the malware got to the systems of victims with infected backdoor updates of accounting software "M". Doc ». Initially, the developer of the program, Intellect-Service, denied involvement in the attacks, but then acknowledged the presence of a backdoor in his product.

During the study, ESET specialists found in one of the legitimate modules "M. Doc »a very inconspicuous, cunning backdoor. According to Cherepanov, it is unlikely that someone could implement it without access to the source code of the program. This is a module with the file name ZvitPublishedObjects. Dll, written with. NET Framework. A 5 MB file contains a large amount of legitimate code called by various components, including the executable file ezvit. Exe.

Researchers analyzed updates for "M". Doc "for 2017 and found at least three containing a backdoor (for April 14, May 15 and June 22). Three days after the release of the May update, attacks were detected using extortion software XData, and five days after the June update, Ukraine was attacked by NotPetya.

The update for May 15 contained a backdoor, but on May 17, another update was released, already without a backdoor. The fact is that the second update was a surprise for hackers. They launched the extortion software on May 18, but most users have already installed the patch for May 17, so XData infected only a small number of systems.

All Ukrainian enterprises and organizations have a unique identification code of a legal entity. With its help, hackers could identify each company using the version of "M. Doc »with backdoor. Having access to their networks, attackers can take different actions depending on the goals set.

In addition to the identification number, through "M". Doc "backdoor collects from the infected system data such as proxy settings and e-mail, including user names and passwords. The malicious program writes them to the Windows registry as HKEY_CURRENT_USER \ SOFTWARE \ WC with the values ??of the Cred and Prx names.

Notably, the backdoor does not connect to any external C & C servers. Malware uses regular queries "M. Doc »to the official server of the manufacturer for available updates. Stolen data is sent to the server as cookies. ESET researchers did not conduct server expertise, however, in their opinion, they were hacked. This information was also confirmed by the leadership of Intellect Service.

Источник: InternetUA
© 2009 - 2025 NewsMe. All rights reserved.
The site administration is not responsible for information what put in, as well as its reliability. Use material NewsMe permitted only for reference (for internet issues - hyperlinks) on NewsMe.com.ua.

Наши проекты: