Bird_banner_small4
Backdoor.MSIL.TeleDoor.A
TSL ID TSL20170713-03
Severity High
Description

Backdoor.MSIL.TeleDoor.A is a Backdoor that targets Windows platform. It is reported that the malware is used to deliver/execute PetyaWrap ransomware Worm. This malware collects EDRPOU which is a legal entity identifier of the Ukrainian state registry and User name. The malware identifies itself to a remote server by sending the collected information and accepts various commands to perform nefarious activities on the infected machine. The supported commands would allow to execute shell command and sends the response back to the remote server, collect and send system information to the remote server, download/execute a file, and more.

Affected Products
  • Microsoft Windows All Versions
File Hashes
MD5:
  • 3EFE62F6CB7285153114F888900A0962
SHA1:
  • 3567434E2E49358E8210674641A20B147E0BD23C
Identifiers
Kaspersky
  • HEUR:BACKDOOR.MSIL.TELEDOOR.GEN
McAfee
  • BACKDOOR-TELEBOT!3EFE62F6CB72
Microsoft Malware Protection Center
Panda
  • BCK/TELEDOORS.A
Sophos
  • TROJ/TELEDOOR-A
Symantec
  • BACKDOOR.TELEBOT
TrendMicro
AegisLab
  • BACKDOOR.MSIL.TELEDOOR!C
AhnLab-V3
  • TROJAN/WIN32.TELEDOOR.C2029728
ALYac
  • BACKDOOR.MSIL.TELEBOT
Arcabit
  • TROJAN.GENERIC.D54C74E
Avira
  • TR/REDCAP.NAEAB
BitDefender
  • TROJAN.GENERICKD.5556046
ClamAV
  • WIN.TROJAN.NYETYA-6332125-0
Cyren
  • W32/TROJAN.KWQT-4990
DrWeb
  • BACKDOOR.MEDOC.1
ESET-NOD32
  • MSIL/TELEDOOR.A
GData
  • MSIL.BACKDOOR.TELEDOOR.A
Ikarus
  • BACKDOOR.TELEDOOR
Jiangmin
  • BACKDOOR.MSIL.OKD
NANO-Antivirus
  • TROJAN.WIN32.BACKDOOR.EQQOVG
Rising
  • TROJAN.TELEDOOR!8.E913
Tencent
  • WIN32.TROJAN.TELEBOT.UHCZ
ViRobot
  • BACKDOOR.WIN32.S.AGENT.5207040
Webroot
  • W32.BACKDOOR.MEDOC
Yandex
  • TROJAN.TELEDOOR!
References http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/
Related Threats TSL20170627-06 - Worm.Win32.PetyaWrap.A