ESET: BlackEnergy group evolved into TeleBots

News by Max Metzger

Researchers at ESET think they see the return of the BlackEnergy group which wreaked havoc on Ukrainian industries last year.

BlackEnergy is back and with a new brand, according to ESET.  ESET researchers recently published a blogpost noting that recent attacks on Ukrainian financial services bear the distinct hallmarks of BlackEnergy under a new guise.

Due to the malware used, researchers call the group TeleBots, however, they note “it's important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group.”  In fact, the blog post adds, “we think that the BlackEnergy group has evolved into the TeleBots group.”

Among the similarities is the use of the same mail server from which to conduct attack. Robert Lipovski, senior malware researcher at ESET told SC Media UK that this piece of evidence is so damning because “it's a private server, most probably a compromised one. The BlackEnergy group have been using this server for sending out their spear-phishing emails for at least 4 years.”

BlackEnergy first turned heads when a piece of malware knocked out power to hundreds of thousands of Ukrainian citizens in the dead of winter

The malware itself was apparently first built by a hacker called Cr4sh who quickly sold it on for less than £500. It's not known exactly who it was sold to, but discovery of its source code appears to coincide with Russian military activity.

In 2008, when the Russian army went to war in South Ossetia against the tiny baltic state of Georgia, BlackEnergy appeared. It has reemerged on several occasions, demonstrating, according to Kaspersky, “a unique skillset well above the average DDoS botnet master”. Perhaps its most notable activity has been in the reemergence in the low intensity conflict in Ukraine.

At this point, one Russian speaking group began targeting Ukrainian SCADA systems and critical infrastructure, culminating in an outage to 225,000 people in Ukraine two days before Christmas 2015.

US state bodies, including CERT and the US Department of Energy, later confirmed that the outages were a result of a cyber-attack.

ESET points to a number of similarities from its use of a KillDisk function to the groups' choice of targets to the fact that the attacks used exactly the same mail server to convey the link between the two groups

Much like BlackEnergy, TeleBots use spear-phishing emails to launch their attacks . Embedded within those emails are Microsoft Office documents with infected macros, once those macros are turned on, the infection can launch.

That installs a Trojan downloader, meant to open a gateway for yet more malware to come through. ESET researchers found the final payload to be Python/TeleBot.AA Trojan.

The Trojan leverages the Telegram Bot API from Telegram Messenger to communicate with its masters. The samples that ESET researchers got their hands on showed unique telegram tokens embedded in the code. By communicating through chat, the malware allows communication between its masters and any infected device as long as it has telegram installed on it.

Once TeleBots successfully compromised the network, the group uses an array of tools to try and get passwords and steal information before launching its KillDisk function. Lipovski told SC that “the KillDisk functionality is executed only at the cybersabotage phase when the attackers want to wipe the systems and render them unbootable. At this point, stealth is no longer their concern.”

This function, the researchers note, is similar to that used against Ukrainian power companies in 2015. Essentially, once the attackers are done stealing information, they delete critical system files and make the computer unbootable.

The researchers concluded, “The cyber-criminals behind these targeted attacks demonstrate serious intention to conduct cyber-sabotage attacks. To be able to mount such attacks, they are constantly inventing new malware and techniques, such as the use of the Telegram Bot API.”

Whether or not this new attack on Ukrainian financial services is BlackEnergy is not quite clear. Tim Erlin, sr. director of product management at Tripwire has some reservations about that link. He told SC: “The relationship between TeleBots and BlackEnergy isn't entirely clear. There are some demonstrable connections in tools and techniques, but whether the attackers are the same people, part of a tool sharing community, or simply getting their malware from the same source is hard to say.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews