{ "id": "a4e6d1d0-8bba-4bf6-abd6-95dc37787df4", "created_at": "2026-04-06T00:16:40.61739Z", "updated_at": "2026-04-10T03:37:08.913478Z", "deleted_at": null, "sha1_hash": "57108210ceb5ebdd3bc2ab1c3d8b54f92d7231f8", "title": "Analysis of TeleBots’ cunning backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 233587, "plain_text": "Analysis of TeleBots’ cunning backdoor\r\nBy Anton Cherepanov\r\nArchived: 2026-04-05 17:10:51 UTC\r\nOn the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries.\r\nThat attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya,\r\nor NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and\r\ndemands $300 in bitcoins for recovery. In fact, the malware authors' intention was to cause damage, so they did all\r\nthat they could to make data decryption very unlikely.\r\nIn our previous blogpost, we attributed this attack to the TeleBots group and uncovered details about other similar\r\nsupply chain attacks against Ukraine. This article reveals details about the initial distribution vector that was used\r\nduring the DiskCoder.C outbreak.\r\nTale of a malicious update\r\nThe Cyberpolice Department of Ukraine’s National Police stated, on its Facebook account, as did ESET and other\r\ninformation security companies, that the legitimate Ukrainian accounting software M.E.Doc was used by the\r\nattackers to push DiskCoder.C malware in the initial phase of the attack. However, until now, no details were\r\nprovided as to exactly how it was accomplished.\r\nDuring our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of\r\nM.E.Doc's legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc's\r\nsource code.\r\nThe backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework.\r\nIt is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main\r\nM.E.Doc executable ezvit.exe.\r\nWe examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates\r\nthat contained the backdoored module:\r\n10.01.175-10.01.176, released on April 14th 2017\r\n10.01.180-10.01.181, released on May 15th 2017\r\n10.01.188-10.01.189, released on June 22nd 2017\r\nThe incident with Win32/Filecoder.AESNI.C happened three days after the 10.01.180-10.01.181 update and the\r\nDiskCoder.C outbreak happened five days after the 10.01.188-10.01.189 update. Interestingly, four updates from\r\nApril 24th 2017, through to May 10th 2017, and seven software updates from May 17th 2017, through to June\r\n21st 2017, didn’t contain the backdoored module.\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 1 of 9\n\nSince the May 15th update did contain the backdoored module and the May 17th update didn’t, here is a\r\nhypothesis that could explain the low infection Win32/Filecoder.AESNI.C ratio: the release of the May 17th\r\nupdate was an unexpected event for the attackers. They pushed the ransomware on May 18th, but the majority of\r\nM.E.Doc users no longer had the backdoored module as they had updated already.\r\nThe PE compilation stamps of analyzed files suggest that these files were compiled on the same date as the update\r\nor the day before.\r\nFigure 1 - Compilation timestamp of the backdoored module pushed in May 15th update.\r\nFigure 2 shows the differences between the list of classes of backdoored and non-backdoored versions of\r\nthe ZvitPublishedObjects.dll module, using the ILSpy .NET Decompiler:\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 2 of 9\n\nFigure 2 - List of classes in backdoored module (at left) and non-backdoored (at right).\r\nThe main backdoor class is named MeCom and it is located in the ZvitPublishedObjects.Server namespace as\r\nshown in Figure 3.\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 3 of 9\n\nFigure 3 - The MeCom class with malicious code, as shown in ILSpy .NET Decompiler.\r\nThe methods of the MeCom class are invoked by the IsNewUpdate method of UpdaterUtils in the\r\nZvitPublishedObjects.Server namespace. The IsNewUpdate method is called periodically in order to check\r\nwhether a new update is available. The backdoored module from May 15th is implemented in a slightly different\r\nway and has fewer features than the one from June 22nd.\r\nEach organization that does business in Ukraine has a unique legal entity identifier called the EDRPOU number\r\n(Код ЄДРПОУ). This is extremely important for the attackers: having the EDRPOU number, they could identify\r\nthe exact organization that is now using the backdoored M.E.Doc. Once such an organization is identified,\r\nattackers could then use various tactics against the computer network of the organization, depending on the\r\nattackers’ goal(s).\r\nSince M.E.Doc is accounting software commonly used in Ukraine, the EDRPOU values could be expected to be\r\nfound in application data on machines using this software. Hence, the code that was injected in the IsNewUpdate\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 4 of 9\n\nmethod collects all EDRPOU values from application data: one M.E.Doc instance could be used to perform\r\naccounting operations for multiple organizations, so the backdoored code collects all possible EDRPOU numbers.\r\nFigure 4 - Code that collects EDRPOU numbers.\r\nAlong with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and\r\npasswords, from the M.E.Doc application.\r\nWarning! We recommend changing passwords for proxies, and for email accounts for all users of M.E.Doc\r\nsoftware.\r\nThe malicious code writes the information collected into the Windows registry under the\r\nHKEY_CURRENT_USER\\SOFTWARE\\WC key using Cred and Prx value names. So if these values exist on a\r\ncomputer, it is highly likely that the backdoored module did, in fact, run on that computer.\r\nAnd here is the most cunning part! The backdoored module does not use any external servers as C\u0026Cs: it uses the\r\nM.E.Doc software’s regular update check requests to the official M.E.Doc server upd.me-doc.com[.]ua. The only\r\ndifference from a legitimate request is that the backdoored code sends the collected information in cookies.\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 5 of 9\n\nFigure 5 - HTTP request of backdoored module that contains EDRPOU number in cookies.\r\nWe have not performed forensic analysis on the M.E.Doc server. However, as we noted in our previous blogpost,\r\nthere are signs that the server was compromised. So we can speculate that the attackers deployed server software\r\nthat allows them to differentiate between requests from compromised and non-compromised machines.\r\nFigure 6 - Code of backdoor that adds cookies to the request.\r\nAnd, of course, the attackers added the ability to control the infected machine. The code receives a binary blob\r\nofficial M.E.Doc server, decrypts it using the Triple DES algorithm, and, afterwards, decompresses it using GZip.\r\nThe result is an XML file that could contain several commands at once. This remote control feature makes the\r\nbackdoor a fully-featured cyberespionage and cybersabotage platform at the same time.\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 6 of 9\n\nFigure 7 - Code of backdoor that decrypts incoming malware operators’ commands.\r\nThe following table shows possible commands:\r\nCommand Purpose\r\n0 – RunCmd Executes supplied shell command\r\n1 –\r\nDumpData\r\nDecodes supplied Base64 data and saves it to a file\r\n2 – MinInfo\r\nCollects information about OS version, bitness (32 or 64), current privileges, UAC settings,\r\nproxy settings, email settings including login and password\r\n3 – GetFile Collects file from the infected computer\r\n4 – Payload Decodes supplied Base64 data, saves it to an executable file\r\n5 –\r\nAutoPayload\r\nSame as previous but the supplied file should be a DLL and it will be dropped and executed\r\nfrom the Windows folder using rundll32.exe. In addition, once executed, it attempts to\r\noverwrite that dropped DLL and delete it.\r\nIt should be noted that command number 5, named by malware authors as AutoPayload, perfectly matches the\r\nway in which DiskCoder.C was initially executed on “patient zero” machines.\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 7 of 9\n\nFigure 8 - AutoPayload method that was used to execute DiskCoder.C malware.\r\nConclusions\r\nAs our analysis shows, this is a thoroughly well-planned and well-executed operation. We assume that the\r\nattackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a\r\nvery stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way\r\nat this time to verify that there are no other injected backdoors.\r\nThere are still questions to answer. How long has this backdoor been in use? What commands and malware other\r\nthan DiskCoder.C or Win32/Filecoder.AESNI.C have been pushed via this channel? What other software update\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 8 of 9\n\nsupply chains might the gang behind this attack have already compromised but are yet to weaponize?\r\nSpecial thanks to my colleagues Frédéric Vachon and Thomas Dupuy for their help in this research.\r\nIndicators of Compromise (IoC)\r\nESET detection names:\r\nMSIL/TeleDoor.A\r\nLegitimate servers abused by malware authors:\r\nupd.me-doc.com[.]ua\r\nSHA-1 hashes:\r\n7B051E7E7A82F07873FA360958ACC6492E4385DD\r\n7F3B1C56C180369AE7891483675BEC61F3182F27\r\n3567434E2E49358E8210674641A20B147E0BD23C\r\nSource: https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nhttps://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" ], "report_names": [ "analysis-of-telebots-cunning-backdoor" ], "threat_actors": [ { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434600, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/57108210ceb5ebdd3bc2ab1c3d8b54f92d7231f8.pdf", "text": "https://archive.orkl.eu/57108210ceb5ebdd3bc2ab1c3d8b54f92d7231f8.txt", "img": "https://archive.orkl.eu/57108210ceb5ebdd3bc2ab1c3d8b54f92d7231f8.jpg" } }