Researchers uncover new delivery tactics used by BlackEnergy

Attackers use Microsoft Office to push the SCADA targeting malware

power grid electrical
Credit: April

Researchers at SentinelOne have discovered a new delivery tactic being used to spread BlackEnergy, the malware known for targeting SCADA systems across Europe. The latest variant of the rootkit is targeting Microsoft Office and points to actors with insider access.

The latest variant of BlackEnergy (BlackEnergy 3) is the same malware used in recent attacks against Ukraine's critical infrastructure.

SentinelOne reverse engineered the malware and discovered indicators that suggest it is being used by insiders to target industrial control systems.

Moreover, their analysis – published in a report on Wednesday – suggests that the rootkit is the byproduct of a nation-sponsored campaign, but they didn't name any suspects.

BlackEnergy 3 exploits an Office 2013 vulnerability that was patched some time ago, so it only works if the target machine isn't patched or an employee (either deliberately or after being tricked into it) executes the malicious Excel document.

But because it's unlikely that organizations haven't deployed the patch required to mitigate the vulnerability, SentinelOne says an insider is to blame for infections.

"In this particular sample the actor appears to have advanced a method used back in 2014 against Industrial Control Systems deployed in NATO countries, and more broadly across the European Union," the report says.

"At that time, the actor used a vulnerability, CVE-2014-4114, in the OLE packager 2 (packager.dll) in the way it parses INF files. Each binary was compiled using different compiler versions, which led us to conclude that different groups are in fact directly involved in this campaign – much like a typical R&D project supported by different engineering teams who each follow their own unique development characteristics. These different characteristics have established unique fingerprints that ID each of the individual group’s traits."

The researcher's conclusion is that the latest version of BlackEnergy is already resident in systems across the Ukraine, as well as other European nations. If true, the malware can be used to trigger more blackouts and malfunctions at utilities, transportation control systems, and even healthcare institutions.

Given the constantly changing attack vectors, most anti-Virus vendors would have a hard time detecting attacks using BlackEnergy, despite the fact that each variant shares a common core.

The full report on the BlackEnergy sample is available online.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.