BlackEnergy APT Group Spreading Malware via Tainted Word Docs

Attackers have begun using rigged Microsoft Word documents propagated via spearphishing emails to spread the BlackEnergy Trojan.

Attackers have begun using rigged Microsoft Word documents propagated via spearphishing emails to spread the BlackEnergy Trojan.

Researchers with Kaspersky Lab’s Global Research and Analysis Team discovered a malicious Word document last week that appears to stem from a campaign against one of the malware’s favorite targets, Ukraine.

Russian-speaking actors with the BlackEnergy APT group have been using rigged Excel files and Powerpoint files as an attack vector for the malware since mid-2015 but this is the first time the group has been using Word documents, GReAT Director Costin Raiu claims.

According to a breakdown of the malware on Securelist today, victims are encouraged to enable macros shortly after opening the malicious document. Naturally, after doing so, a script in the document runs and triggers a BlackEnergy infection.

Raiu notes that at least for the document Kaspersky Lab evaluated, the payload is on the smaller side of things. Once it kicks into gear, the malware, a minimalistic Trojan, forwards information about the machine to its command and control (C&C) server.

The researchers believe the group behind the malware may have already used BlackEnergy in an attack against a Ukrainian television channel by tricking someone there into opening an document about a far-right Ukrainian nationalist political party.

The document GReAT analyzed mentions Pravii Sektor, or Right Sector, a Ukrainian nationalist party that formed in 2013.

Raiu, who dissected the Word file and the payload, points out that the server it communicates with was either offline, or limits its IP connections, but noticed the request fields in the C&C connection.

One of the fields, b_gen, appears to correspond to the victim ID, or in this instance, “301018stb,” something that Raiu believes refers to STB, a television channel headquartered in Kiev. The channel was previously mentioned as a victim in BlackEnergy Wiper attacks in October last year.

Duping users into opening malicious Office documents and enabling macros has been something of a fountain of youth for attackers over the last few years. Attackers behind Dridex  leveraged the technique, which had its hey day in the early 2000s, to spread the banking Trojan last year via XML file attachments and Word documents.

Raiu expected the group to shift to Word documents sooner or later.

“In the past, we’ve seen the BlackEnergy group target entities in Ukraine using Excel and PowerPoint documents. The use of Word documents was also expected so this confirms our suspicions,” Raiu said.

A report from the firm SentinelOne this week (.PDF) claims the BlackEnergy attacks are an inside job and that a strain of the malware is already present in industrial control systems across Ukraine. The firm, who reverse engineered BlackEnergy3, insists the malware relies on a dated Office 2013 vulnerability, meaning it’s likely been patched by many companies, suggesting the malware can only execute if the machine hasn’t patched, or if an insider deliberately or is tricked into triggering an infected Excel document.

BlackEnergy has existed in some shape or form since 2007 but some could argue it wasn’t until 2014, when it started incorporating SCADA plugins and targeting the energy sector, both in Ukraine, and worldwide, that the malware really picked up steam.

The United States Industrial Control System Cyber Emergency Response Team (ICS-CERT) sounded the alarm over BlackEnergy that October, warning that it had been found at several companies that were running HMI software, Advantech and Siemens to name a few, that connects to the internet. In November GReAT researchers Maria Garnaeva and Kurt Baumgartner detailed the malware’s custom plugin capabilities and the challenges they were creating for SCADA networks and energy firms in Eastern Europe, former Russian states, Asia and the Middle East.

At the tail end of last year the malware was used in several attacks on the critical sector in Ukraine.

It’s been disputed but the general consensus believes attackers used BlackEnergy3 to knock a collection of substations belonging to Prykarpattya Oblenergo, a power distributor in Ukraine, offline on December 23 last year.

Raiu notes that the consortium of attackers behind BlackEnergy have really fine-tuned the malware, improving on versions from 2014 that were “crude and full of bugs.”

“BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and espionage activities,” Raiu writes.

Suggested articles