BlackEnergy malware which is assumed to be handled by multiple groups, have adopted sophisticated tools and they have been targeting energy and ICS/SCADA companies from across the world. Recently they have been seen targeting Ukraine’s critical infrastructure.
In December , BlackEnergy malware attack resulted in power failure in Ivano – Frankivsk region. Along with BlackEnergy malware on systems, investigators found killDisk plugin that has been designed to delete data and make system inoperable. Researchers believe that not only the malware but along with other plugins are responsible for power outrages.
Cys Centrum, an Ukrainian security firm reported that attackers used PowerPoint presentations to deliver the malware. Usually the threat actors embedded macros into Excel spreadsheets to send Trojan onto targeted system.
Recently it has been reported by the Kaspersky lab that the attackers used specially crafted Microsoft word documents, they simply attached malicious code to microsoft word documents and sent them via email to potential users.
The document was cleverly coded so that when it was uploaded for online scanner, very few security scanners flagged it as threat, so it easily went through security systems without fail.
when the document is opened by user, it warned them that macros have been disabled for security reasons and they have to enable them, and thus by enabling macros, an executable file “vba_macr.exe” is created and installed on the system.
Security firm SentinelOne even conclued that there might be role of internal actors in order to help BlackEnergy attackers, especially in operations aimed at SCADA systems .
â€śThe only two options then to carry out the attack is â€“ target a victimâ€™s machine that was not patched, or get an internal employee to either accidentally or deliberately execute the infected Excel documents causing the malware to propagate inside the network. At this point it would be highly unlikely that organizations have not deployed the patch against CVE-2014-4114, thus the most likely conclusion is use of an internal actor,â€ť SentinelOne said in its report.
Udi Shamir, Chief Security Officer at SentinelOne told SecurityWeek that a new attack targeting a Ukrainian power facility has been detected very recently, but they have not been able to know the complete details .