By Editor
Anton Cherepanov, a malware researcher at ESET, has
picked up a Pwnie Award for Best Backdoor at this year’s ceremony at Black Hat
USA 2017 in Las Vegas.
The award was in recognition for his work in
discovering what Cherepanov described earlier this month as a “stealthy and cunning
backdoor” that allowed cybercriminals to install and spread Diskcoder.C via M.E.Doc.
As the organisers of the awards stated in their nomination
blurb for the award: “To prepare their taxes, folks the world over install
janky software developed for a captive market of their nation’s tax laws.
“In Ukraine, accountants who installed M.E.Doc
received a backdoor in the gig and a half of their full installation.”
According to Cherepanov in his analysis of the
Telebot backdoor, it is believed that this was injected into one of M.E.Doc’s
legitimate modules.
Interestingly, it is believed that the cybercriminals
could not have done this without having access to M.E.Doc’s source code.
“The backdoored module has the filename
ZvitPublishedObjects.dll,” explained Cherepanov in his expert piece.
“This was written using the .NET Framework. It is a
5MB file and contains a lot of legitimate code that can be called by other
components, including the main M.E.Doc executable ezvit.exe.”
Concluding his analysis of the backdoor, ESET’s
malware researcher noted that this was a highly sophisticated and technical
operation, which had been well thought out.