NotPetya installed on Ukrainian computers came with an email harvesting backdoor

NotPetya installed on Ukrainian computers came with an email harvesting backdoor

The earliest victims of last week's global NotPetya attacks — users of the Ukrainian accounting software MeDoc — are also victims of the email account credential-harvesting backdoor used to install NotPetya, according to a new report.

Though the impacts of NotPetya were felt globally, the attacks began locally. The first victims of NotPetya inadvertently installed the malware as part of software updates to MeDoc. From there, NotPetya infected computers across the networks those computers were attached to.

But attackers used a second piece of malware embedded in the update to launch NotPetya once the update arrived. That malware, which anti-virus firm ESET detailed in a report released Tuesday, was a backdoor into computers with MeDoc that could install programs, steal credentials to log into email and other settings used in MeDoc. 

ESET is calling that backdoor TeleDoor. 

ADVERTISEMENT

ESET determined TeleDoor was included in three of the last seven MeDoc software updates and believes they were likely added to the updates after attackers compromised MeDoc's systems. 

A week after the attacks, major global companies impacted by NotPetya announced their systems have returned to near normal. On Tuesday, global shipping giant Maersk said that all but one of its terminals had resumed operation. The international law firm DLA Piper also announced that its email servers were back online. 

Reports from Kryptos Logic and Kaspersky show that NotPetya was not the only malware that took advantage of MeDoc's update system. Both have discovered separate ransomware shipped over the same MeDoc attack vector. 

That new ransomware, notes Kaspersky, appears to pay homage to the WannaCry attack with references to it in its code, and contains the likely tongue-in-cheek note "Copyright 2016, Made in China."

Kaspersky is dubbing this new malware FakeCry.