|Type your keyword...|Col2| |---|---| **The cybercriminal group behind BlackEnergy, the malware family that has been around since 2007 and has** **made a comeback in 2014 (see our previous blog posts on Back in BlackEnergy *: 2014 Targeted Attacks** ----- **ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a** **destructive KillDisk component in attacks against Ukrainian news media companies and against the** **electrical power industry. In this blog, we provide details on the BlackEnergy samples ESET has detected in** **2015, as well as the KillDisk components used in the attacks. Furthermore, we examine a previously** **unknown SSH backdoor that was also used as another channel of accessing the infected systems, in** **addition to BlackEnergy.** **We continue to monitor the BlackEnergy malware operations for future developments. For any inquiries or** **[to make sample submissions related to the subject, contact us at: threatintel@eset.com](mailto:threatintel@eset.com)** ## BlackEnergy evolution in 2015 **Once activated, variants of BlackEnergy Lite allow a malware operator to check specific criteria in order to�** **assess whether the infected computer truly belongs to the intended target. If that is the case, the dropper** **of a regular BlackEnergy variant is pushed to the system. The exact mechanism of infection by** **[BlackEnergy is described in our Virus Bulletin presentation and this whitepaper by F-Secure.](https://www.virusbtn.com/conference/vb2014/abstracts/LM3-LipovskyCherepanov.xml)** **The BlackEnergy malware stores XML configuration data embedded in the binary of DLL payload.�** **Figure 1 – The BlackEnergy configuration example used in 2015�** **Apart from a list of C&C servers, the BlackEnergy config contains a value called build_id. This value is a�** **unique text string used to identify individual infections or infection attempts by the BlackEnergy malware** **operators. The combinations of letters and numbers used can sometimes reveal information about the** **campaign and targets.** **Here is the list of Build ID values that we identified in 2015:�** **2015en** **khm10** **khelm** **2015telsmi** ----- **kiev_o** **brd2015** **11131526kbp** **02260517ee** **03150618aaa** **11131526trk** **We can speculate that some of them have a special meaning. For example 2015telsmi could contain the** **[Russian acronym SMI – Sredstva Massovoj Informacii, 2015en could mean Energy, and there’s also the](https://en.wiktionary.org/wiki/%D0%A1%D0%9C%D0%98)** **obvious “Kiev”.** ## KillDisk component **In 2014 some variants of the BlackEnergy trojan contained a plugin designed for the destruction of the** **infected system, named dstr.** **In 2015 the BlackEnergy group started to use a new destructive BlackEnergy component detected by ESET** **products as Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD trojan variants.** **The main purpose of this component is to do damage to data stored on the computer: it overwrites** **documents with random data and makes the OS unbootable.** **The first known case where the KillDisk component of BlackEnergy was used was �documented by CERT-** **UA in November 2015. In that instance, a number of news media companies were attacked at the time of** **the 2015 Ukrainian local elections. The report claims that a large number of video materials and various** **documents were destroyed as a result of the attack.** **It should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on** **destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite�** **and delete. The complete list contains more than 4000 file extensions.�** **Figure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB�** **The KillDisk component used in attacks against energy companies in Ukraine was slightly different. Our�** **analysis of the samples shows that the main changes made in the newest version are:** ----- **should activate.** **It also deletes Windows Event Logs : Application, Security, Setup, System.** **It is less focused on deleting documents. Only 35 file extensions are targeted.�** **Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component�** **As well as being able to delete system files to make the system unbootable – functionality typical for such�** **destructive trojans – the KillDisk variant detected in the electricity distribution companies also appears to** **contain some additional functionality specifically intended to sabotage industrial systems.�** **Once activated, this variant of the KillDisk component looks for and terminates two non-standard** **processes with the following names:** **komut.exe** **sec_service.exe** **We didn’t manage to find any information regarding the name of the first process (komut.exe).�** **The second process name may belong to software called ASEM Ubiquity, a software platform that is often** **used in Industrial control systems (ICS), or to ELTIMA Serial to Ethernet Connector. In case the process** **is found, the malware does not just terminate it, but also overwrites the executable file with random data.�** ## Backdoored SSH server **In addition to the malware families already mentioned, we have discovered an interesting sample used by** **the BlackEnergy group. During our investigation of one of the compromised servers we found an** **[application that, at first glance, appeared to be a legitimate SSH server called �Dropbear SSH.](https://matt.ucc.asn.au/dropbear/dropbear.html)** **In the order to run the SSH server, the attackers created a VBS file with the following content:�** **Set WshShell = CreateObject(“WScript.Shell”)** **WshShell.CurrentDirectory = “C:\WINDOWS\TEMP\Dropbear\”** **WshShell.Run “dropbear.exe -r rsa -d dss -a -p 6789″, 0, false** **As is evident here, the SSH server will accept connections on port number 6789. By running SSH on the** **server in a compromised network, attackers can come back to the network whenever they want.** **However, for some reason this was not enough for them. After detailed analysis we discovered that the** **binary of the SSH server actually contains a backdoor.** ----- **Figure 4 – Backdoored authentication function in SSH server** **As you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password** **passDs5Bu9Te7 was entered. The same situation applies to authentication by key pair – the server** **contains a pre-defined constant public key and it allows authentication only if a particular private key is�** **used.** **Figure 5 – The embedded RSA public key in SSH server** **ESET security solutions detect this threat as Win32/SSHBearDoor.A trojan.** ## Indicators of Compromise (IoC) **IP addresses of BlackEnergy C2-servers:** **5.149.254.114** **5.9.32.230** **31.210.111.154** **88.198.25.92** **146.0.74.7** **188.40.8.72** **XLS document with malicious macro SHA-1:** **AA67CA4FB712374F5301D1D2BAB0AC66107A4DF1** **BlackEnergy Lite dropper SHA-1:** **4C424D5C8CFEDF8D2164B9F833F7C631F94C5A4C** ----- **896FCACFF6310BBE5335677E99E4C3D370F73D96** **BlackEnergy drivers SHA-1:** **069163E1FB606C6178E23066E0AC7B7F0E18506B** **0B4BE96ADA3B54453BD37130087618EA90168D72** **1A716BF5532C13FA0DC407D00ACDC4A457FA87CD** **1A86F7EF10849DA7D36CA27D0C9B1D686768E177** **1CBE4E22B034EE8EA8567E3F8EB9426B30D4AFFE** **20901CC767055F29CA3B676550164A66F85E2A42** **2C1260FD5CEAEF3B5CB11D702EDC4CDD1610C2ED** **2D805BCA41AA0EB1FC7EC3BD944EFD7DBA686AE1** **4BC2BBD1809C8B66EECD7C28AC319B948577DE7B** **502BD7662A553397BBDCFA27B585D740A20C49FC** **672F5F332A6303080D807200A7F258C8155C54AF** **84248BC0AC1F2F42A41CFFFA70B21B347DDC70E9** **A427B264C1BD2712D1178912753BAC051A7A2F6C** **A9ACA6F541555619159640D3EBC570CDCDCE0A0D** **B05E577E002C510E7AB11B996A1CD8FE8FDADA0C** **BD87CF5B66E36506F1D6774FD40C2C92A196E278** **BE319672A87D0DD1F055AD1221B6FFD8C226A6E2** **C7E919622D6D8EA2491ED392A0F8457E4483EAE9** **CD07036416B3A344A34F4571CE6A1DF3CBB5783F** **D91E6BB091551E773B3933BE5985F91711D6AC3B** **E1C2B28E6A35AEADB508C60A9D09AB7B1041AFB8** **E40F0D402FDCBA6DD7467C1366D040B02A44628C** **E5A2204F085C07250DA07D71CB4E48769328D7DC** **KillDisk-components SHA-1:** **16F44FAC7E8BC94ECCD7AD9692E6665EF540EEC4** **8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569** **6D6BA221DA5B1AE1E910BBEAA07BD44AFF26A7C0** **F3E41EB94C4D72A98CD743BBB02D248F510AD925** **VBS/Agent.AD trojan SHA-1:** **72D0B326410E1D0705281FDE83CB7C33C67BC8CA** **Win32/SSHBearDoor.A trojan SHA-1:** **166D71C63D0EB609C4F77499112965DB7D9A51BB** **[Picture credits: ©flickr/tanozzo�](https://www.flickr.com/photos/tanozzo/4778327737/in/photolist-8hfbmZ-bDuZYz-hDMaip-5VBPny-nTpobM-bjnSt8-obiT2T-6dLNys-ijocCK-b4MfsH-oKUfSr-xmzJEz-kXBnVr-kRUAw-6QwkKt-oaKuyv-itcRjN-5XJ5vs-4NWXby-eqCMfw-Uykkj-ozd6wq-84iqKk-YHqSi-x8SLP-b8Berg-9ZQbLV-kXBhDV-wazGaq-5UGzx1-hJd44C-gtMnyH-rgen12-rK8mhU-aryyDA-9mZLcv-m9CBct-kLyvjg-bf2wBz-8ZAdkB-4MVwFt-arJhqe-dp9nky-dUXpjv-Bd7HW-AXDksz-c3Z5dA-c3Z4Cs-c3Z3GC-c3YZU1)** **189** **LikeLike** **Whats app** **LikeLike** ----- **BlackEnergy trojan strikes again: Attacks Ukrainian electric** **power industry** **Moonfruit takes customers' sites offline, as it prepares for DDoS�** **attack** **[5 things you need to know about social engineering](http://www.welivesecurity.com/2015/12/30/5-things-need-know-social-engineering/)** **[Europol makes 12 arrests in Remote Access Trojan crackdown](http://www.welivesecurity.com/2015/12/15/europol-makes-12-arrests-remote-access-trojan-crackdown/)** ----- **Recommend** **Share** **Sort by Best** ### Join the discussion… **•** **2 days** **Proturk** **ago** #### First process name "komut" means "command" in Turkish. **Share ›** **1** **• Reply •** **Email...** **[About Us](http://www.welivesecurity.com/about-us/)** **[Contact Us](http://www.welivesecurity.com/contact-us/)** **[Home](http://www.welivesecurity.com/)** **[How To](http://www.welivesecurity.com/category/how-to/)** **[Expert Opinion](http://www.welivesecurity.com/category/opinion-2/)** **[Videos](http://www.welivesecurity.com/media/videos/)** **[Papers](http://www.welivesecurity.com/papers/conference-papers/)** **[Our Experts](http://www.welivesecurity.com/our-experts/)** **[Virus Radar](http://www.virusradar.com/)** **Sit** **Submit** ----- **[Legal Information](http://www.welivesecurity.com/legal-information/)** **COPYRIGHT © 2016 ESET, ALL RIGHTS RESERVED.** -----