Attackers use Microsoft Office to push the SCADA targeting malware Credit: April Researchers at SentinelOne have discovered a new delivery tactic being used to spread BlackEnergy, the malware known for targeting SCADA systems across Europe. The latest variant of the rootkit is targeting Microsoft Office and points to actors with insider access.The latest variant of BlackEnergy (BlackEnergy 3) is the same malware used in recent attacks against Ukraine’s critical infrastructure.SentinelOne reverse engineered the malware and discovered indicators that suggest it is being used by insiders to target industrial control systems.Moreover, their analysis – published in a report on Wednesday – suggests that the rootkit is the byproduct of a nation-sponsored campaign, but they didn’t name any suspects. BlackEnergy 3 exploits an Office 2013 vulnerability that was patched some time ago, so it only works if the target machine isn’t patched or an employee (either deliberately or after being tricked into it) executes the malicious Excel document.But because it’s unlikely that organizations haven’t deployed the patch required to mitigate the vulnerability, SentinelOne says an insider is to blame for infections. “In this particular sample the actor appears to have advanced a method used back in 2014 against Industrial Control Systems deployed in NATO countries, and more broadly across the European Union,” the report says.“At that time, the actor used a vulnerability, CVE-2014-4114, in the OLE packager 2 (packager.dll) in the way it parses INF files. Each binary was compiled using different compiler versions, which led us to conclude that different groups are in fact directly involved in this campaign – much like a typical R&D project supported by different engineering teams who each follow their own unique development characteristics. These different characteristics have established unique fingerprints that ID each of the individual group’s traits.”The researcher’s conclusion is that the latest version of BlackEnergy is already resident in systems across the Ukraine, as well as other European nations. If true, the malware can be used to trigger more blackouts and malfunctions at utilities, transportation control systems, and even healthcare institutions.Given the constantly changing attack vectors, most anti-Virus vendors would have a hard time detecting attacks using BlackEnergy, despite the fact that each variant shares a common core.The full report on the BlackEnergy sample is available online. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe