Pierluigi Paganini
December 15, 2016
The BlackEnergy hacker group that targeted the Ukrainian grid one year ago causing a power outage in the country are now targeting Ukrainian banks. The Ukrainian government accused Russia of being involved in the attack, but further analysis revealed that the BlackEnergy malware was not directly responsible for the outages.
According to the experts at the ESET firm, the gang is exploiting the TeleBots malware against banks in Ukraine. The malicious code shares a number of similarities with the malware used by the BlackEnergy group. ESET speculates that the BlackEnergy group crew has evolved across the time into the threat actors called TeleBots group.
“In the second half of 2016, ESET researchers identified a unique malicious toolset that was used in targeted cyberattacks against high-value targets in the Ukrainian financial sector. We believe that the main goal of attackers using these tools is cybersabotage. This blog post outlines the details about the campaign that we discovered.” reads a blog post published by ESET.
“We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.”
The hackers are leveraging on spear phishing message with Microsoft Excel documents containing malicious macros.
Once a victim clicks on the Enable Content button, the macro in TeleBots documents drops a malicious binary using the explorer.exe filename and then to execute it. The malicious code is trojan downloader, that is written in the Rust programming language, that download and executes another strain of malware. This trojan downloader is written in the Rust programming language.
“Once a victim clicks on the Enable Content button, Excel executes the malicious macro. Our analysis shows that the code of the macro used in TeleBots documents matches the macro code that was used by the BlackEnergy group in 2015.” continues ESET.
Below the similarities between BlackEnergy and TeleBots source codes.
“The main purpose of the macro is to drop a malicious binary using the explorer.exe filename and then to execute it. The dropped binary belongs to a trojan downloader family, its main purpose being to download and execute another piece of malware. This trojan downloader is written in the Rust programming language.”
TeleBots hackers are able to fully compromise the machine and spread in the target network, the experts noticed that it is also able to drop the KillDisk malware onto the target machine making it unbootable before displaying a FSociety Mr Robot-themed logo on the computers’ screens as a sign-off.
The experts have no doubts, the TeleBots threat actors aim to conduct cybersabotage attacks, clearly, Russia was the prime suspect.
