BlackEnergy using Tainted Word Documents

Monday, February 1, 2016 @ 01:02 PM gHale

BlackEnergy malware is infecting victims via Word documents with embedded macros.

The sophisticated BlackEnergy malware is even more advanced and its operators are using it with greater success to target energy and ICS/SCADA companies on a global basis.

Malware Targeting Ukraine Power Grids
Cloud Provider Under Attack
Virtualization: Benefits, Challenges
Bridging IT and OT

One attack program has involved Ukraine’s critical infrastructure.

This attack against the country’s energy sector started this past December and led to power outages in the Ivano-Frankivsk region.

Researchers discovered BlackEnergy malware on systems, along with a destructive plugin known as KillDisk designed to delete data and make systems inoperable.

Researchers did say the malware is not directly responsible for the outages, rather, it acted as a diversion to help attackers cover their tracks and make it more difficult to restore service.

Ukrainian security firm Cys Centrum said the attackers used PowerPoint presentations to deliver the malware. In mid-2015, threat actors started using specially crafted Excel spreadsheets with embedded macros to drop the Trojan onto targeted systems.

Kaspersky Lab said Thursday attackers started attaching malicious Microsoft Word documents to their spear phishing emails. ICS-CERT, which has been assisting CERT Ukraine in investigating the recent attacks, confirmed the use of malicious Word documents.

A document sample uploaded to an online scanner service on January 20 and a relatively low number of security products flagged it as a threat. The document in question referenced Ukrainian far-right nationalist political party Right Sector (Pravyi Sektor).

When the document opens, the user gets a note saying for security purposes macros ended up disabled. Then to enable macros, the victim needs to click the “Enable Content” button in the document.

Microsoft disabled macros by default several years ago specifically because malicious actors started abusing the feature to deliver malware. However, bad guys still use the technique and in many cases they trick users into enabling the feature by saying they need to use it to view content.

If macros end up enabled, an executable file named “vba_macro.exe” ends up written to the disk. This executable is a BlackEnergy dropper designed to drop and run the final payload, Kaspersky said in a post.

Security firm SentinelOne issued a report detailing the use of Microsoft Office documents and macros in BlackEnergy attacks. The company concluded that internal actors might have helped BlackEnergy attackers, especially in operations aimed at SCADA systems.