Zero-day vulnerability in M.E.Doc

Backdoor

2017-06-27

2017-07-07

The backdoor code was distributed via automatic update functionality. The infected version 10.01.189 contained backdoor code, which downloaded and installed NotPetya ransomware along with other tools, indented to distribute malware within local network. 75% of victims were located in Ukraine.

Known malware:

NotPetya

Vulnerability details

Advisory: SB2017062710 - Backdoor in M.E.Doc software

Vulnerable component: M.E.Doc

CVE-ID:

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper input validation

Description:

The security issue exists due to presence of backdoor code in updates, distributed from the official website. After update installation, the system becomes infected with NotPetya ransomware.

Malware, present in the code, also performs various attempts to infect other systems.

External links:

https://issp.ua/issp_system_images/Petya-NotPetya-Reverse-by-ISSP-Labs.pdf
https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.