ATP group uses Word Docs to drop BlackEnergy Malware

The APT group behind the attacks against critical infrastructure in Ukraine is spreading BlackEnergy malware through specially crafted Word documents.

Malicious campaigns leveraging the BlackEnergy malware are targeting energy and ICS/SCADA companies from across the world. The threat actors behind the recent attacks based on the popular malware are now targeting critical infrastructure in Ukraine.

In December 2015, a cyber attack contributed to a power outage in the Ivano-Frankivsk region. The last variant spread in Ukraine included the KillDisk module that is designed to wipe the targeted systems and make systems inoperable.

The experts at the Ukrainian security firm Cys Centrum discovered that the APT group behind the attack against the Ukraine infrastructure had leveraged PowerPoint presentations to spread the BlackEnergy Trojan. Experts at Kaspersky confirmed that the APT group started using macros in specially crafted Excel spreadsheets to serve the malware on the infected systems. The attackers also used World document in their attacks.

“Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document: “$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2)” states Kaspersky.

The ICS-CERT confirmed the use of Word documents to spread the malware.

“Recent open-source reports have circulated alleging that a December 23, 2015, power outage in Ukraine was caused by BlackEnergy Malware. ICS-CERT and US-CERT are working with the Ukrainian CERT and our international partners to analyze the malware and can confirm that a BlackEnergy 3 variant was present in the system. ” states the US-CERT”

“in this case the infection vector appears to have been spear phishing via a malicious Microsoft Office (MS Word) attachment. ICS-CERT and US-CERT analysis and support are ongoing, and additional technical analysis will be made available on the US-CERT Secure Portal.”

The experts at Kaspersky confirmed that a malicious word document referenced the Ukrainian nationalist party Pravyi Sektor, was uploaded to an online scanner service on January 20, but only a few security solutions were able to detect the threat.

To trick users into enabling the macro, the victims open the document are displayed a message that requests to enable the macros.

When victims enable macros, an executable file named “vba_macro.exe” is written to the disk, it is the BlackEnergy dropper.

“As we can see, the macro builds a string in memory that contains a file that is created and written as “vba_macro.exe”.

The file is then promptly executed using the Shell command. The vba_macro.exe payload (md5: ac2d7f21c826ce0c449481f79138aebd) is a typical BlackEnergy dropper.”

According to the experts at Kaspersky, the BlackEnergy malware was created by a hacker known as Cr4sh that sold the code in 2007 for $700. The source code was used for numerous attacks, including the DDoS cyber attacks that targeted the Georgia in 2008, while the country was invaded by the Soviet Russian (RSFSR) Red Army.

The APT group behind the attack continued using the BlackEnergy malware against critical infrastructure in Ukraine

“BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and espionage activities”