BlackEnergy now using Word documents

Kaspersky Lab had discovered several new developments in the ongoing BlackEnergy Saga

BlackEnergy is believed to have connections to the Russian state
BlackEnergy is believed to have connections to the Russian state

The plot has thickened in the ongoing BlackEnergy Saga, according to Kaspersky Lab.  Not only has BlackEnergy purportedly targeted Ukrainian TV station, STB but it is also now using Word documents in spear-phishing emails to deliver the lethal payload.

Kaspersky Lab discovered this new information when it was investigating the BlackEnergy APT, a group believed to be responsible for many large attacks globally and famous for its takedowns of Ukrainian critical infrastructure. Kaspersky happened upon one particular spear-phishing email, carrying the BlackEnergy trojan within the Macros of an attached Word document. The document appears to be aimed at Ukrainian television channel STB and mentions the far right Ukrainian political group, heavily involved in the overthrow of the previous president, ‘Right Sector'.

A Kaspersky Lab representative spoke to SCMagazineUK.com to explain: “The spear-phishing document has been received through industry data-exchange channels. By industry data exchange sources we mean multiple multiscanner services and threat feeds exchange.”

Kaspersky Lab discovered this new information because the malware sends basic information to a C&C server: “Among other information this information includes b_gen field. In the case of the document analysed by Kaspersky Lab this field has the following look b_gen=301018stb. Kaspersky Lab researchers suppose that b_gen is victim identifier and STB could refer to STB TV channel.” The STB TV channel has been a target of BlackEnergy since 2015, but by no means the only one.

BlackEnergy has a long and convoluted past. It was first built by a hacker called Cr4sh who sold it on for less than £500. The source code then went to several sources but oddly enough, its use seems to coincide with Russian military adventures.

During 2008, when the Russian army went to war in South Ossetia against the tiny baltic state of Georgia, BlackEnergy appeared. BlackEnergy reemerged in several instances over the next six years but made its presence rudely known when Russia annexed several parts of and sparked a shooting war in Eastern Ukraine and Crimea over the usurpation of Ukrainian premier, Victor Yanukhovich.

At this point a specific Russian-speaking group began cyber-attacks against Ukrainian SCADA systems and critical infrastructure. Among others, power plants seemed a particular favorite for the group, leading to several power outages. BlackEnergy had also been seen in instances around the world which, according to Kaspersky, “indicated a unique skillset well above the average DDoS botnet master.”

Dr Igor Sutyagin, an expert in Russian military policy at the Royal United Services Institute spoke to SC on the possible geopolitical implications of BlackEnergy. It is, as Sutyagin admits, very hard to assign culpability in situations like this but he feels it aligns with the Kremlin's behaviour. “It's a hallmark of the Russian side,” said Sutyagin. “They do these sort of attacks in case of any increase in tension. (because of) The timing for this attack (it) seems quite logical to identify the Russian side.” Only recently diplomatic relations flared up again in Ukraine over the prolonged simmering war in the east of the country and there had just been a physical attack on power supplies to Russian controlled Crimea.

Sometimes these cyber-attacks coincide very closely with Russian military operations, with little time between a land invasion and one in cyber-space, as was seen in the 2008 South Ossetian conflict in Georgia.

The other interesting aspect to the evidence that Kaspersky have unearthed is that APT groups are increasingly using Word and Excel documents in phishing emails to deploy their malware. Kaspersky discovered that the word document was attached to the phishing email lure.

This seems to be something of an old trick. Some 15 years ago, Word docs would autorun macros, allowing attackers to drop whatever they wanted without too much resistance from the targeted user.

Newer versions of Excel and Word require their users to turn on Macros, which in turn requires the wilful attacker to encourage them to do so via social engineering. This infected document does exactly that, saying that the user will need to enable macros in order to view the whole text.

This is  by no means out of character for the BlackEnergy APT group, which has used Excel documents loaded with macros that drop the BlackEnergy trojan upon opening.

Once the user has enabled macros and the payload has been dropped, the trojan connects to a certain C&C server and, notes the report, “issues an HTTP Post request to it, sending basic victim info and requesting commands.”

SC spoke to Symantec's director of security response, Orla Cox  who said that while Macros dropping malware is nothing new, an APT group using these techniques is. “It's more of a technique that we'd see used in cyber-crime” says Cox. Using macros tends to be a lot simpler though it does require some social engineering, “In cyber-crime you're going for mass attacks so the likelihood of your exploit working is diminished.” APT groups “tend to rely on exploiting vulnerabilities in the software itself.”