Ukraine was recently attacked by malware whose objective was to sabotage the control systems of public infrastructure. Various electricity distributors were compromised by the Trojan BlackEnergy on 23 December, leaving homes in the Ukrainian region of Ivano-Frankvisk (with a population of around 1.5 million inhabitants) without electricity.
However, this was not the only case of an attack against control systems in Ukraine, since at the start of this year there was an attack against IT systems of Kiev airport with the intention of causing chaos and confusion after the disruption of the air service. The news items were related in the sense that the malware detected is similar to BlackEnergy, although in this case it was detected in its initial stages and could be eliminated without consequences. In November 2015 there was also another attack against television channels and mediawith similar characteristics to those described.
Description and evolution of BlackEnergy
BlackEnergy has evolved from being a Trojan to become an Advanced Persistent Threat (APT). This is not a recent malware sample; in fact, it was first detected in 2007.
- Temporary BlackEnergy line -
It was originally designed as a tool to create botnets with the objective of conducting DDoS attacks. The Trojan has an application that generates clients that the attacker uses to infect the machines of its victims. It also provides scripts to carry out the DDoS that the attacker configures from the C&C (Command and Control) server, as well as an interface to control the infected computers.
A significant property of this Trojan is its ability to expand through components or plugins that can attack other platforms (ARM) or features such as stealing certificates. In its latest attack the extension most used was the malware KillDisk.
- BlackEnergy 1 toolkit. (Source: F-Secure) -
The second version of this Trojan includes rootkits so it can access the system imperceptibly. This new version was detected in 2010 for the first time.
In 2014 there were variations that limited the kernel mode only to carrying out malicious loading or that directly prevented it from loading it through the rundl32.exe process, the version called BlackEnergy Lite. The use in kernel mode hindered the attack process since it had to counter new countermeasures of operating systems, such as the signature of controllers or safe boot, making these type of attacks too costly.
- Part of the BlackEnergy code: Offsets of Windows 8 and 8.1 kernel structures (Source: F-Secure) -
In 2015, BlackEnergy added the variations Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD detected by CERT-UA, that include the component KilDisk This was the version used in the attack.
Anatomy of the BlackEnergy attack
Routes of infection
The route of infection was mainly through the sending of e-mails with documents attached supplanting the issuer, normally an authority (in this case it came from a political party), which deceive the user so it can activate the executable; or through exploits that silently propagate its installation.
- Routes of BlackEnergy infection -
A version was also found that simulated an Adobe Flash Player installer.
The most used installers of the BlackEnergy Trojan are those named msiexec.exe.
In April 2014, a variation of BlackEnergy took advantage of a vulnerability in Microsoft Word. Campaigns were subsequently carried out through Powerpoint files, according to the company ESET. The most recent BlackEnergy technical analyses identified the use of critical vulnerabilities that affected Microsoft Office software through malicious macros. It specifically uses at least the vulnerabilities CVE-2014-4114 (PowerPoint) and CVE-2014-1761 (Word), although Excel files have also been used for the infection.
The installer is launched through manipulated documents or applications that contain the Trojan. In the latest version, used for electrical installations in Ukraine, the msiexec.exe file was not executed but rather a macro with the name vba_macro.exe activated by a dropper type malware (execution of macros hidden in the decoy document).
- Excel macro for generating a malicious executable file associated with BlackEnergy -
The malicious payload of the dropper is a DLL executed by the rundlll32 process and it creates the LNK file which allows it to persist after the reboot. In the loading process a connection is made with the C&C server.
When the server is connected, the malware sends POST requests with information of the victim, requesting various commands.
- POST request for sending basic information about the victim on BASE64. (Source: https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/) -
The version of BlackEnergy analysed supports the use of proxy servers to connect to C&C servers. As such, its implementation is made possible in environments in which the final users require a proxy to be able to access the Internet. This inclusion shows the intentions of the criminals and their prior knowledge about the target. Samples of malware with a proxy server linked to Ukrainian rail or domains of cities such as Dnipropetrovsk, the fourth largest city in Ukraine, have been collected.
After communication with the C&C server the modules necessary for the attack are downloaded. Specifically, the KillDisk module, which then seeks two processes:
- Sec_service.exe: www.runscanner.net/lib/sec_service.exe.html (Link not available currently) Linked with the ELTIMA Serial to Ethernet Connector software or with ASEM Ubiquity, used in industrial control systems. Specifically, the first is software that allows passage from serial protocol to Ethernet meaning it can be managed more efficiently, and the second is assistant software that allows management of WinCE and Win32/64 solutions remotely. If the Trojan finds this process in the attacked system it not only closes it down, but it also overwrites it with random data, thus making restoration difficult.
- komut.exe: A file that contains important information on how a program or service must be executed. Its alteration can affect other programs and/or services that are being executed on the device
As such, the objective of the main functions of KillDisk are to:
- Delete system files to make rebooting as difficult as possible.
- Delete the events in the Windows log.
- Add the option of introducing a delay in the activation of a destructive malicious payload.
Therefore, the focus is on deleting system functionalities rather than deleting files (unlike the previous attacks).
While the first versions of the Trojan deleted around 4000 file extensions, the version used in Ukraine is limited to only 35.
- Extensions looked for by BlackEnergy to delete files -
Recommendations and prevention
The recommendations and good practices for protection against the BlackEnergy Trojan are:
- Use of process whitelists, preventing the execution of processes that have been modified.
- Separation of environments, using a computer for tasks corresponding to control systems (OT) and another for management tasks corresponding to information systems (IT).
- Training of employees and awareness-raising in security on the use of certain software and the opening of internet files.
- Updating of systems and application of security patches to prevent already known vulnerability attacks.
- Updating of antivirus signatures and antimalware programs that can give a rapid response to APTs.
- Use of systems to manage events and monitor traffic.
As a general complement to these measures and specifically for detecting and preventing BlackEnergy malware, it is recommended to use Yara rules and the indicators of compromise that are publicly available