Malware based on open-source backdoor targeting Ukraine power industries

Malware based on open-source backdoor targeting Ukraine power industries
Researchers have detected a new malware attack campaign based on an open-source backdoor that is targeting the Ukrainian electric power industry.

In a blog post, ESET malware researcher Robert Lipovsky discusses how the attacks follow on the heels of another malware campaign recently spotted in Ukraine.

"Yesterday (January 19th) we discovered a new wave of these attacks, where a number of electricity distribution companies in Ukraine were targeted again following the power outages in December"

On December 23 last year, the Western Ukrainian power company Prykarpattyaoblenergo reported on outages that affected an area including the regional capital of Ivano-Frankivsk.

An investigation later determined that a variant of the BlackEnergy malware had caused "interference" in the working of the company’s systems, which may have led to the power interruption.

While some are calling this incident the first ever malware-caused power outage, others are more skeptical.

For instance, as noted by PCWorld, the SANS Industrial Control Systems (ICS) team published a post earlier this month in which they said that the malware only gave the attackers access to the systems at Prykarpattyaoblenergo and Kyivoblenergo, but did not cause the outage directly.

These concerns notwithstanding, BlackEnergy is still on the loose in Ukraine.

Just earlier this week, specialists of the State Service of Special Communications and Information Protection of Ukraine detected the malware on one of the workstations at Boryspil International Airport. That workstation was connected to the airport’s main IT network, which includes the airport’s air traffic control center.

It is no wonder, therefore, that Lipovsky and his fellow researchers were surprised to learn that BlackEnergy wasn't the malware behind this latest attack on Ukraine's electric power sector:

"What’s particularly interesting is that the malware that was used this time is not BlackEnergy, which poses further questions about the perpetrators behind the ongoing operation. The malware is based on a freely-available open-source backdoor – something no one would expect from an alleged state-sponsored malware operator."

Even so, the attack mimics December's BlackEnergy malware campaigns, which might suggest that the same actors are responsible for both incidents.

Lipovsky explains that the attack begins with a spearphishing email being sent to a victim, containing a malicious XLS file. As with the BlackEnergy campaigns, the email contains HTML content with a link to a .PNG file (what is known as a tracking pixel) located on a remote server. This ensures that the attackers will receive a notification when the email has been opened.

Malicious email

Clicking on the attachment opens a malicious Microsoft Office file that asks the victim to enable macros. The Trojan downloader then executes, loading up malware based on modified versions of an open-source gcat backdoor written in the Python programming language.

"This backdoor is able to download executables and execute shell-commands. Other GCat backdoor functionality, such as making screenshots, keylogging, or uploading files, was removed from the source code. The backdoor is controlled by attackers using a GMail account, which makes it difficult to detect such traffic in the network."

Gcat backdoor

Given the details of the attack, some are starting to wonder whether they were wrong in assuming that Russia was/is responsible for this recent series of malware campaigns. It goes without saying that attribution in these instances is extremely difficult. We must therefore be patient and wait until investigators are able to gather more evidence.

For the time being, however, the mystery continues with regards to who is targeting Ukraine.

flickr photo shared by readephotography under a Creative Commons ( BY-ND ) license

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

One Response

  1. coyote

    January 22, 2016 at 9:08 pm #

    'which they said that the malware only gave the attackers access to the systems at Prykarpattyaoblenergo and Kyivoblenergo, but did not cause the outage directly.'

    Okay so a guard hands the key to a prisoner and says to the prisoner : Do whatever you like with it but make sure you lock it if you decide to leave (you can even hand me the key back to throw off the scent … you know, make them think you vanished somehow). Then the manager of the prison comes along and sees the prisoner escaped but the cell is locked and there seems to be no other way out; furthermore, the guard has the key.

    Whose fault is it ? Technically the prison guard did not let the prisoner out but only gave the prisoner a chance to escape if they so desire. Yet if it wasn't for the guard handing the key over, the prisoner would still be in the prison.

    That's what their argument amounts to (indirection leads to the resource) and it's completely stupid.

Leave a Reply