M.E.Doc is a company in Ukraine that makes accounting software. They have many clients, and they distribute their software directly to their customers. Around April this year, their network was compromised because an attacker managed to acquire stolen credentials belonging to an administrator. Using these credentials, the attacker was able to log in and start modifying server configurations and software.

The attacker modified the nginx.conf config file on an M.E.Doc update server to reverse proxy requests to a server hosted at OVH. The server was being used by a hosting reseller called THCServers.com. This server had been compromised by the attacker prior to launching the attack on M.E.Doc.

The attacker then modified the M.E.Doc accounting software to include their own malicious code. Unaware of the infection, M.E.Doc then distributed the compromised software to its clients as usual. Once installed on a workstation, the modified software contacted the compromised M.E.Doc NGINX server every two minutes to fetch commands the attacker wanted to run.

That request to the M.E.Doc NGINX server for commands was reverse proxied through to the compromised OVH command and control server the attacker controlled. When the attacker wanted to send commands to infected workstations, they simply set up a new command on the compromised OVH server which the workstations then dutifully fetched via the compromised NGINX server.

SOURCE: Click Here.