Ukrainian accounting software alleged source of infection
Ukrainian accounting software alleged source of infection

According to a blog post by Eset, legitimate Ukrainian accounting software M.E.Doc was used by the attackers to push DiskCoder.C malware in the initial phase of an attack that crippled businesses and governmental organisations across the Ukraine a week ago.

Eset said that a “very stealthy and cunning backdoor” was injected by attackers into one of M.E.Doc's legitimate modules. The software is used by around 80 percent of companies in the country and is sold by a company called Intellect Services.

“It seems very unlikely that attackers could do this without access to M.E.Doc's source code,” said Anton Cherepanov, malware researcher at Eset.

He said that when the firm examined all M.E.Doc updates that were released during 2017, it found that there were at least three updates that contained the backdoored module.

The incident with Win32/Filecoder.AESNI.C happened three days after the 10.01.180-10.01.181 update and the DiskCoder.C outbreak happened five days after the 10.01.188-10.01.189 update. Interestingly, four updates from April 24th 2017, through to May 10th 2017, and seven software updates from May 17th 2017, through to June 21st 2017, didn't contain the backdoored module,” said Cherepanov.

He added that since the 15 May update did contain the backdoored module and the 17 May update didn't, he hypothesised that the release of the 17 May update was an unexpected event for the attackers.

“They pushed the ransomware on May 18th, but the majority of M.E.Doc users no longer had the backdoored module as they had updated already,” he said.

The attack used an ERDPOU code, which every company that does business in Ukraine has to identify itself. Hackers inserted code that recorded ERDPOU numbers in installed versions of the application, then passed this information back to Intellect Service's servers via innocuous-looking cookies.

"This is extremely important for the attackers: having the EDRPOU number, they could identify the exact organization that is now using the backdoored M.E. Doc," Cherepanov said. "Once such an organization is identified, attackers could then use various tactics against the computer network of the organization, depending on the attackers' goal(s)."

Cherepanov said there was still questions to answer, such as how long the backdoor was in use and what other malware has been pushed via this channel.

Olesya Linnik, managing partner at Intellect Service, told Reuters that the company denied spreading the malware. "The cyber police are currently bogged down in the investigation, we gave them the logs of all our servers and there are no traces that our servers spread this virus," she said.

Javvad Malik, security advocate at AlienVault, told SC Media UK that for software companies, source code is often the crown jewels.

“It needs to have multiple layers of protection and validation in place. Even without external threats, there is a danger of internal errors, so a well-defined software development methodology needs to be in place with version controls, so that no inadvertent changes are pushed to production,” he said.

“Legitimate code, updates, and downloads have been used for propagating malware. For example, a few weeks ago, malware was injected into the Mac version of handbrake. The use of checksums to validate the integrity of files can be useful, as long as the original checksum hasn't also been compromised.”

Tony Rowan, chief security consultant at SentinelOne, told SC that controlling the supply chain is essential to maintain a clean code base.

“This includes understanding and controlling the hardware and software supply chains to ensure that only trusted sources are used and no materials are injected into that supply chain. This means defining and applying security requirements for the whole of that supply chain and actively applying controls including audits,” Rowan said.

“Once equipment and software is in place, the integrity of those resources needs to be maintained and, for endpoints like developers' devices, this means state-of-the-art endpoint security needs to be in place. Solid code verification and walkthroughs are also essential before release,” he said.