CFM website

Ukrainian authorities and businesses are on alert after a local security firm reported that another accounting software maker got hacked and its servers were being used to spread malware.

The incident is almost identical to how the NotPetya ransomware outbreak started on June 27, this year, when hackers breached Intellect Services' servers and trojanized update packages for the M.E.Doc accounting software package, delivering at least three ransomware families on three different occasions (XData, NotPetya, and a WannaCry lookalike).

Hackers breached M.E.Doc's rival

This time around, according to two reports by ISSP Labs, hackers breached the servers of Crystal Finance Millennium (CFM), another company that makes accounting software for local businesses, one of Intellect Services' rivals.

Hackers didn't breach the CFM update systems, but only the company's web server, which they used to store malware.

According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, attackers breached the company's servers since at least August 18, last week.

During this time, the group sent phishing emails to various targets. The emails contained a ZIP file that, in turn, contained a JavaScript file. When users unzipped the archive and ran the JS file, the script would download a file named load.exe from the CFM's web server.

Several hacked servers spreading ransomware, others

According to Craiu, the load.exe file would later download the Purge ransomware, an offshoot from the larger Globe ransomware family. Kaspersky calls this version Purgen, and ranked it #9 in its list of top ransomware families for Q2 2017.

Back in October last year, Emsisoft had previously released a free decrypter for Globe's Purge version, but we cannot guarantee that the decrypter will work with newer versions.

According to additional data included in the ISSP Labs report, the attacks were part of a larger malware distribution campaign, with similar load.exe files hosted on the web servers of other companies.

A Sophos Labs security researcher who goes by the pseudonym of OD says he identified one of the load.exe files spread via another server, and says he saw it dropping the Zbot banking trojan.

A third security researcher from a US cyber-security firm and Bart Parys, an independent security researcher, also mentioned seeing the Chthonic banking trojan.

In a blog post published after this article's original publication date, Parys also revealed he discovered the same malware campaign pushing SmokeLoader and PSCrypt, a ransomware family that has targeted Ukraine exclusively. This is of notice, as experts believed PSCrypt was spread manually via RDP connections.

This looks like a mundane malware campaign

All in all, this appears to be a run-of-the-mill malware campaign that was discovered on the wrong server, at the wrong time.

We say "wrong time" because tomorrow is Ukraine's Independence Day. The NotPetya ransomware outbreak took place on June 27, one day before Ukraine's Constitution Day.

Many security firms attributed the NotPetya ransomware outbreak to a Russian cyber-espionage group named TeleBots. ESET and other experts said that TeleBots chose to spread NotPetya one day before a national holiday to maximize its damage.

Ukrainian officials and local businesses feared a second TeleBots attack when they heard about the hacking of the CFM servers.

No major ransomware outbreak in Ukraine

Bleeping Computer reached out to MalwareHunter, one of the researchers behind ID-Ransomware, an online service that allows ransomware victims to identify the type of ransomware that has infected their computers.

According to MalwareHunter, there is little to no activity on the ransomware front coming from Ukraine, with the exception of a few PSCrypt infection that are related to a campaign that started last week, which now, in hindsight, is the one that ISPP experts linked to Crystal Finance Millennium's servers.

All in all, there is no evidence to suggest that someone is targeting Ukraine with another major ransomware campaign.

At the time of writing, CFM's web hosting provider intervened and took down the company's website to prevent it from spreading its malicious payload to new victims (see image above).

No CFM or ISSP Labs spokespersons were available for comments due to a national holiday.

Article updated with information about a third, fourth, and fifth malware strains dropped during the campaign.