Continued story with cyber espionage at pharmacies

    Amid all these epidemics of ransomware, the work is somehow lost - dangerous and difficult - of those backdoors who work quietly, and at first glance they seem to be invisible. But in vain! After all, updates are usually done only when the "house is already on fire" - although it would seem that if you find a backdoor in time and close it, rather than continuing to pretend that everything is in order, situations like this can be avoided.

    Well, what really is there. There is a continuation in the story with pharmacy cyberattacks.

    Doctor Web responds to the allegations of Spargo Technologies and explains the evidence of industrial espionage at Russian pharmacies.

    After Doctor Web published the resultsinvestigating a targeted attack on many networks of Russian pharmacies and pharmaceutical companies using the BackDoor.Dande family malware, a message was posted on the official website of Spargo Technologies joint stock company alleging that DrWeb, in violation of business ethics, disseminates knowingly false and inaccurate information about the contents of virus files in the ePrica program. Doctor Web stands up for the namesake and helps Spargo Technologies understand the situation.

    It should be noted, firstly, that the company “Spargo Technologies” did not contact Doctor Web before publishing its appeal for additional information and considered it possible to blame us, while intentionally distorting the essence of the information we published.

    Secondly, at the time when Doctor Web began its investigation in 2012, more than 2800 pharmacies and Russian pharmaceutical companies were infected (according to the Virus Monitoring Service of our company). By the way, complaints from our customers became the reason for the beginning of the investigation. At the same time, the BackDoor.Dande.61 spyware module detected by Doctor Web experts defines 41 out of 63 antivirus software vendors listed on Virustotal as malware.

    Thirdly, it is important to note that the ePrica program did not contain malicious files, respectively, and Doctor Web could not write anything about it. ePrica is an application developed by Spargo Technologies, which allows pharmacy managers to analyze drug prices and choose the best provider. The PriceCompareLoader.dll dynamic library used by this program has exported functions that run libraries in memory. PriceCompareLoader.dll is called from PriceComparePm.dll. This library is trying to download the payload from the site, decrypt it using the AES algorithm and run it from memory. The Trojan was downloaded from ws.eprica.ruowned by Spargo Technologies and intended to update the ePrica program. At the same time, the module that covertly downloaded the malicious program directly into the computer’s memory had a valid digital signature “Spargo”, and it was this scheme of the covert download of the malicious program that led to the need for such a long investigation in order to determine the source of infection. The Trojan downloaded commercial information stolen from infected computers onto servers outside of Russia. In other words, as in the situation with Trojan.Encoder.12544, distributed through MEDoc software, the backdoor was hidden in the program update module.

    Fourth, statements by Spargo Technologies about the cleanliness and security of the solutions issued in connection with the introduction of the ePrica program in the Unified Register of Russian Programs are unfounded, since this registry has nothing to do with security issues for software products. Commented by Evgenia Vasilenko, Executive Director of the Russian Software Center, member of the Expert Council for the development of the information technology industry, expert of the Interim Commission of the Federation Council for the Development of the Information Society:
    “When considering applications to the registry of Russian computer programs and databases, the source code of the software is not requested. The applicant is entitled to provide source codes. But in any case, the software distribution is checked by experts for compliance with the criteria of Russian software, approved by law. First of all, the expert council checks the distribution for compliance with the declared software classes, as well as for the absence of third-party components for which the applicant has no exclusive rights.

    The registry is a confirmation of the country of origin of the software. There are other certification and licensing procedures regarding software security issues. ”

    Thus, the information distributed by Spargo Technologies regarding the guaranteed security of Spargo Technologies software only on the basis of its inclusion in the Unified Register of Domestic Software can be misleading and misinform customers of this company.

    ... and this is probably not the end.

    Also popular now: