BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents - Securelist Late last year, a wave of cyber-attacks hit several critical sectors in Ukraine. Widely discussed in the media, the attacks took advantage of known BlackEnergy Trojans as well as several new modules. BlackEnergy is a Trojan that was created by a hacker known as Cr4sh. In 2007, he reportedly stopped working on it and sold the source code for an estimated $700. The source code appears to have been picked by one or more threat actors and was used to conduct DDoS attacks against Georgia in 2008. These unknown actors continued launching DDoS attacks over the next few years. Around 2014, a specific user group of BlackEnergy attackers came to our attention when they began deploying SCADA-related plugins to victims in the ICS and energy sectors around the world. This indicated a unique skillset, well above the average DDoS botnet master. Facebook 24 Google 31 Twitter ▼ https://securelist.com/ https://securelist.com/encyclopedia/ /statistics/ /description/ https://securelist.com/author/great/ https://securelist.com/all?category=24 https://securelist.com/all?tag=538 https://securelist.com/all?tag=580 https://securelist.com/all?tag=533 https://securelist.com/all?tag=730 https://securelist.com/all?tag=29 https://securelist.com/all?tag=214 https://securelist.com/author/great/ https://securelist.com/author/great/ http://twitter.com/e_kaspersky/great https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/ http://archive.is/RFBU https://securelist.com/analysis/publications/36309/black-ddos/ https://securelist.com/analysis/publications/36309/black-ddos/ https://cdn.securelist.com/files/2016/01/black_energy_eng_1.png https://cdn.securelist.com/files/2016/01/black_energy_eng_2.png https://cdn.securelist.com/files/2016/01/black_energy_eng_3.png https://cdn.securelist.com/files/2016/01/black_energy_eng_4.png https://kas.pr/APT_reporting_SL_text_button For simplicity, we’re calling them the BlackEnergy APT group. One of the prefered targets of the BlackEnergy APT has always been Ukraine. Since the middle of 2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document. A few days ago, we discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine. Unlike previous Office files used in previous attacks, this is not an Excel workbook, but a Microsoft Word document. The lure used a document mentioning the Ukraine “Right Sector” party and appears to have been used against a television channel. At the end of the last year, a wave of attacks hit several critical sectors in Ukraine. Widely discussed in the media and by our colleagues from ESET, iSIGHT Partners and other companies, the attacks took advantage of both known BlackEnergy Trojans as well as several new modules. A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum (the text is only available in Russian for now, but can be read via Google Translate). In the past, we have written about BlackEnergy, focusing on their destructive payloads, Siemens equipment exploitation and router attack plugins. You can read blogs published by my GReAT colleagues Kurt Baumgartner and Maria Garnaeva here and here. We also published about the BlackEnergy DDoS attacks. Since mid-2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros which drop the trojan to disk if the user chooses to run the script in the document. For the historians out there, Office documents with macros were a huge problem in the early 2000s, when Word and Excel supported Autorun macros. That meant that a virus or trojan could run upon the loading of the document and automatically infect a system. Microsoft later disabled this feature and current Office versions need the user to specifically enable the Macros in the document to run them. To get past this inconvenience, modern day attackers commonly rely on social engineering, asking the user to enable the macros in order to view “enhanced content”. Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document: “$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2) This document was uploaded to a multiscanner service from Ukraine on Jan 20 2016, with relatively low detection. It has a creation_datetime and last_saved field of 2015-07-27 10:21:00. This means the document may have been created and used earlier, but was only recently noticed by the victim. https://cys-centrum.com/ru/news/black_energy_2_3 https://securelist.com/blog/research/68838/be2-extraordinary-plugins-siemens-targeting-dev-fails/ https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/ https://securelist.com/analysis/publications/36309/black-ddos/ Upon opening the document, the user is presented with a dialog recommending the enabling of macros to view the document. Interestingly, the document lure mentions “Pravii Sektor” (the Right Sector), a nationalist party in Ukraine. The party was formed in November 2013 and has since played an active role in the country’s political scene. To extract the macros from the document without using Word, or running them, we can use a publicly available tool such as oledump by Didier Stevens. Here’s a brief cut and paste: https://en.wikipedia.org/wiki/Right_Sector As we can see, the macro builds a string in memory that contains a file that is created and written as “vba_macro.exe”. The file is then promptly executed using the Shell command. The vba_macro.exe payload (md5: ac2d7f21c826ce0c449481f79138aebd) is a typical BlackEnergy dropper. It drops the final payload as “%LOCALAPPDATA%\FONTCACHE.DAT”, which is a DLL file. It then proceeds to run it, using rundll32: rundll32.exe “%LOCALAPPDATA%\FONTCACHE.DAT”,#1 To ensure execution on every system startup, the dropper creates a LNK file into the system startup folder, which executes the same command as above on every system boot. %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\{D0B53124-E232-49FC-9EA9- 75FA32C7C6C3}.lnk The final payload (FONTCACHE.DAT, md5: 3fa9130c9ec44e36e52142f3688313ff) is a minimalistic BlackEnergy (v3) trojan that proceeds to connect to its hardcoded C&C server, 5.149.254.114, on Port 80. The server was previously mentioned by our colleagues from ESET in their analysis earlier this month. The server is currently offline, or limits the connections by IP address. If the server is online, the malware issues as HTTP POST request to it, sending basic victim info and requesting commands. The request is BASE64 encoded. Some of the fields contain: b_id=BRBRB-… b_gen=301018stb b_ver=2.3 os_v=2600 os_type=0 The b_id contains a build id and an unique machine identifier and is computed from system information, which makes it unique per victim. This allows the attackers to distinguish between different infected machines in the same network. The field b_gen seems to refer to the victim ID, which in this case is 301018stb. STB could refer to the Ukrainian TV station “STB”, http://www.stb.ua/ru/. This TV station has been publicly mentioned as a victim of the BlackEnergy Wiper attacks in October 2015. BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and espionage activities. Our targeting analysis indicates the following sectors have been actively targeted in recent years. If your organization falls into these categories, then you should take BlackEnergy into account when designing your defences: ICS, Energy, government and media in Ukraine ICS/SCADA companies worldwide Energy companies worldwide http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ http://www.stb.ua/ru/ The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014. However, the old versions were crude and full of bugs. In the recent attacks, the developers appear to have gotten rid of the unsigned driver which they relied upon to wipe disks at low level and replaced it with more high level wiping capabilities that focus on file extensions as opposed on disks. This is no less destructive than the disk payloads, of course, and has the advantage of not requiring administrative privileges as well as working without problems on modern 64-bit systems. Interestingly, the use of Word documents (instead of Excel) was also mentioned by ICS-CERT, in their alert 14-281-01B. It is particularly important to remember that all types of Office documents can contain macros, not just Excel files. This also includes Word, as shown here and alerted by ICS-CERT and PowerPoint, as previously mentioned by Cys Centrum. In terms of the use of Word documents with macros in APT attacks, we recently observed the Turla group relying on Word documents with macros to drop malicious payloads (Kaspersky Private report available). This leads us to believe that many of these attacks are successful and their popularity will increase. We will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available. More information about BlackEnergy APT and extended IOCs are available to customers of Kaspersky Intelligence Services. Contact intelreports@kaspersky.com. Kaspersky Lab products detect the various trojans mentioned here as: Backdoor.Win32.Fonten.* and HEUR:Trojan-Downloader.Script.Generic. To know more about countering BlackEnergy and similar offensives, read this article on Kaspersky Business Blog. https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B http://www.kaspersky.com/enterprise-security/intelligence-services mailto:///intelreports@kaspersky.com https://business.kaspersky.com/black-energy/5091/ e15b36c2e394d599a8ab352159089dd2 ac2d7f21c826ce0c449481f79138aebd 3fa9130c9ec44e36e52142f3688313ff 5.149.254[.]114 Your email address will not be published. Required fields are marked * Enter your comment here Name * 54 41 0 0 118 211 0 0 94 141 0 0 https://securelist.com/analysis/quarterly-malware-reports/73414/kaspersky-ddos-intelligence-report-for-q4-2015/ 0 https://securelist.com/blog/incidents/73204/social-networks-a-bonanza-for-cybercriminals/ 0 https://securelist.com/analysis/kaspersky-security-bulletin/72969/kaspersky-security-bulletin-2015-evolution-of-cyber-threats-in-the-corporate-sector/ 0 Email * Website I'm not a robot reCAPTCHA Notify me of follow-up comments by email. Notify me of new posts by email. Kaspersky DDoS Intelligence Report for Q4 2015 Kaspersky Security Bulletin 2015. Evolution of cyber threats in the corporate sector Kaspersky Security Bulletin 2015. Top security stories Kaspersky Security Bulletin. 2016 Predictions Kaspersky DDoS Intelligence Report Q3 2015 Social Networks – A Bonanza for Cybercriminals Sofacy APT hits high profile targets with updated toolset 0xHACKED: Brown University Accounts Distributing Phishing Emails Stealing to the sound of music Microsoft Security Updates October 2015 39 41 0 https://securelist.com/analysis/quarterly-malware-reports/73414/kaspersky-ddos-intelligence-report-for-q4-2015/ https://securelist.com/analysis/kaspersky-security-bulletin/72969/kaspersky-security-bulletin-2015-evolution-of-cyber-threats-in-the-corporate-sector/ https://securelist.com/analysis/kaspersky-security-bulletin/72886/kaspersky-security-bulletin-2015-top-security-stories/ https://securelist.com/analysis/kaspersky-security-bulletin/72771/kaspersky-security-bulletin-2016-predictions/ https://securelist.com/analysis/quarterly-malware-reports/72560/kaspersky-ddos-intelligence-report-q3-2015/ https://securelist.com/blog/incidents/73204/social-networks-a-bonanza-for-cybercriminals/ https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ https://securelist.com/blog/incidents/72518/0xhacked-brown-university-accounts-distributing-phishing-emails/ https://securelist.com/blog/incidents/72458/stealing-to-the-sound-of-music/ https://securelist.com/blog/software/72448/microsoft-security-updates-october-2015/ https://securelist.com/blog/research/73211/the-asacub-trojan-from-spyware-to-banking-malware/ 0 © 2016 AO Kaspersky Lab. All Rights Reserved. Registered trademarks and service marks are the property of their respective owners. Contact us | Read our privacy policy Events Incidents Opinions Research Spam Test Virus Watch Webcasts Contacts RSS feed 206 101 0 263 241 0 https://securelist.com/blog/research/73305/targeted-mobile-implants-in-the-age-of-cyber-espionage/ 0 https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-microsoft-silverlight-0-day/ 0 http://www.kaspersky.com /contacts http://www.kaspersky.com/privacy https://securelist.com/all?category=27 https://securelist.com/all?category=22 https://securelist.com/all?category=105 https://securelist.com/all?category=24 https://securelist.com/all?category=91 https://securelist.com/all?category=25 https://securelist.com/all?category=48 https://securelist.com/contacts/ //securelist.com/feed/ https://twitter.com/Securelist https://www.facebook.com/securelist https://plus.google.com/+KasperskyLab https://www.linkedin.com/company/kaspersky-lab http://www.youtube.com/securelist //securelist.com/feed/ //securelist.com/contacts/ Search Search Securelist – Information about Viruses, Hackers and Spam BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents Introduction Conclusions Indicators of compromise Word document with macros (Trojan-Downloader.Script.Generic): Dropper from Word document (Backdoor.Win32.Fonten.y): Final payload from Word document (Backdoor.Win32.Fonten.o): BlackEnergy C&C Server: Related Posts LEAVE A REPLY ANALYSIS BLOG READERS FEEDBACK CATEGORIES PAGES FOLLOW US