Late last year, a wave of cyber-attacks hit several critical sectors in Ukraine. Widely discussed in the media, the attacks took advantage of known BlackEnergy Trojans as well as several new modules.
BlackEnergy is a Trojan that was created by a hacker known as Cr4sh. In 2007, he reportedly stopped working on it and sold the source code for an estimated $700. The source code appears to have been picked by one or more threat actors and was used to conduct DDoS attacks against Georgia in 2008. These unknown actors continued launching DDoS attacks over the next few years. Around 2014, a specific user group of BlackEnergy attackers came to our attention when they began deploying SCADA-related plugins to victims in the ICS and energy sectors around the world. This indicated a unique skillset, well above the average DDoS botnet master.
For simplicity, we’re calling them the BlackEnergy APT group.
One of the prefered targets of the BlackEnergy APT has always been Ukraine. Since the middle of 2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document.
A few days ago, we discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine. Unlike previous Office files used in previous attacks, this is not an Excel workbook, but a Microsoft Word document. The lure used a document mentioning the Ukraine “Right Sector” party and appears to have been used against a television channel.
At the end of the last year, a wave of attacks hit several critical sectors in Ukraine. Widely discussed in the media and by our colleagues from ESET, iSIGHT Partners and other companies, the attacks took advantage of both known BlackEnergy Trojans as well as several new modules. A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum (the text is only available in Russian for now, but can be read via Google Translate).
In the past, we have written about BlackEnergy, focusing on their destructive payloads, Siemens equipment exploitation and router attack plugins. You can read blogs published by my GReAT colleagues Kurt Baumgartner and Maria Garnaeva here and here. We also published about the BlackEnergy DDoS attacks.
Since mid-2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros which drop the trojan to disk if the user chooses to run the script in the document.
For the historians out there, Office documents with macros were a huge problem in the early 2000s, when Word and Excel supported Autorun macros. That meant that a virus or trojan could run upon the loading of the document and automatically infect a system. Microsoft later disabled this feature and current Office versions need the user to specifically enable the Macros in the document to run them. To get past this inconvenience, modern day attackers commonly rely on social engineering, asking the user to enable the macros in order to view “enhanced content”.
Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document:
“$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2)
This document was uploaded to a multiscanner service from Ukraine on Jan 20 2016, with relatively low detection. It has a creation_datetime and last_saved field of 2015-07-27 10:21:00. This means the document may have been created and used earlier, but was only recently noticed by the victim.
Upon opening the document, the user is presented with a dialog recommending the enabling of macros to view the document.
Interestingly, the document lure mentions “Pravii Sektor” (the Right Sector), a nationalist party in Ukraine. The party was formed in November 2013 and has since played an active role in the country’s political scene.
To extract the macros from the document without using Word, or running them, we can use a publicly available tool such as oledump by Didier Stevens. Here’s a brief cut and paste:
As we can see, the macro builds a string in memory that contains a file that is created and written as “vba_macro.exe”.
The file is then promptly executed using the Shell command.
The vba_macro.exe payload (md5: ac2d7f21c826ce0c449481f79138aebd) is a typical BlackEnergy dropper. It drops the final payload as “%LOCALAPPDATA%FONTCACHE.DAT”, which is a DLL file. It then proceeds to run it, using rundll32:
To ensure execution on every system startup, the dropper creates a LNK file into the system startup folder, which executes the same command as above on every system boot.
The final payload (FONTCACHE.DAT, md5: 3fa9130c9ec44e36e52142f3688313ff) is a minimalistic BlackEnergy (v2) trojan that proceeds to connect to its hardcoded C&C server, 220.127.116.11, on Port 80. The server was previously mentioned by our colleagues from ESET in their analysis earlier this month. The server is currently offline, or limits the connections by IP address. If the server is online, the malware issues as HTTP POST request to it, sending basic victim info and requesting commands.
The request is BASE64 encoded. Some of the fields contain:
The b_id contains a build id and an unique machine identifier and is computed from system information, which makes it unique per victim. This allows the attackers to distinguish between different infected machines in the same network. The field b_gen seems to refer to the victim ID, which in this case is 301018stb. STB could refer to the Ukrainian TV station “STB”, http://www.stb.ua/ru/. This TV station has been publicly mentioned as a victim of the BlackEnergy Wiper attacks in October 2015.
BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and espionage activities.
Our targeting analysis indicates the following sectors have been actively targeted in recent years. If your organization falls into these categories, then you should take BlackEnergy into account when designing your defences:
- ICS, Energy, government and media in Ukraine
- ICS/SCADA companies worldwide
- Energy companies worldwide
The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014. However, the old versions were crude and full of bugs. In the recent attacks, the developers appear to have gotten rid of the unsigned driver which they relied upon to wipe disks at low level and replaced it with more high level wiping capabilities that focus on file extensions as opposed on disks. This is no less destructive than the disk payloads, of course, and has the advantage of not requiring administrative privileges as well as working without problems on modern 64-bit systems.
Interestingly, the use of Word documents (instead of Excel) was also mentioned by ICS-CERT, in their alert 14-281-01B.
It is particularly important to remember that all types of Office documents can contain macros, not just Excel files. This also includes Word, as shown here and alerted by ICS-CERT and PowerPoint, as previously mentioned by Cys Centrum.
In terms of the use of Word documents with macros in APT attacks, we recently observed the Turla group relying on Word documents with macros to drop malicious payloads (Kaspersky Private report available). This leads us to believe that many of these attacks are successful and their popularity will increase.
We will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available.
Kaspersky Lab products detect the various trojans mentioned here as: Backdoor.Win32.Fonten.* and
Indicators of compromise
Word document with macros (Trojan-Downloader.Script.Generic):
Dropper from Word document (Backdoor.Win32.Fonten.y):
Final payload from Word document (Backdoor.Win32.Fonten.o):
BlackEnergy C&C Server: