跳到主体内容

Newly discovered BlackEnergy spear-phishing campaign targets Ukrainian entities

2016年1月28日

Kaspersky Lab’s Global Research and Analysis Team has discovered signs of previously unknown attacks by the Russian-speaking BlackEnergy APT group

Kaspersky Lab’s Global Research and Analysis Team has discovered signs of previously unknown attacks by the Russian-speaking BlackEnergy APT group. A spear-phishing document found by the company’s experts mentions the far-right Ukrainian nationalist political party “Right Sector” and appears to have been used in an attack against a popular television channel in Ukraine.

BlackEnergy is a highly dynamic threat actor and the latest attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and cyber-espionage activities. Initially a user of DDoS crimeware, BlackEnergy expanded into a large collection of tools. These have been used in various APT-type activities, including geopolitical operations, such as a wave of attacks on several critical sectors in Ukraine at the end of 2015.

Despite the fact that it has been uncovered multiple times, the BlackEnergy actor continues its activities and poses significant danger. 

Since mid-2015, the BlackEnergy APT group has been actively using spear-phishing emails carrying malicious Excel documents with macros to infect computers in a targeted network. However, in January this year, Kaspersky Lab researchers discovered a new malicious document which infects the system with a BlackEnergy Trojan. Unlike the Excel documents used in previous attacks, this was a Microsoft Word document.

Upon opening the document, the user is presented with a dialog recommending that macros are enabled in order to view the content. Enabling the macros triggers the BlackEnergy malware infection.

ua-news-s.jpg

Once activated inside a victim’s computer, the malware sends basic information about the infected machine to its command and control (C&C) server. One of the fields in the C&C connection sent by the malicious program contains a string which seems to refer to the victim ID. The document analyzed by Kaspersky Lab researchers contained the identifier “301018stb”, where “stb” could refer to the Ukrainian TV station “STB”. This TV station was previously named as a victim of the BlackEnergy Wiper attacks in October 2015.

Following the infection, additional malicious modules can be downloaded. Depending on the version of Trojan used, the functions of such additional payload may vary, ranging from cyber-espionage to data wiping.

“In the past, we’ve seen the BlackEnergy group target entities in Ukraine using Excel and PowerPoint documents. The use of Word documents was also expected so this confirms our suspicions. In general, we are seeing the use of Word documents with macros becoming more popular in APT attacks. For instance, recently we observed the Turla APT group using documents with macros to launch a similar type of attack. This leads us to believe that many of these attacks are successful and that this is why their popularity is increasing,” said Costin Raiu, Director of Global Research & Analysis Team at Kaspersky Lab.

The BlackEnergy APT group captured Kaspersky Lab’s attention back in 2014 when it began deploying SCADA-related plugins against victims in the ICS and energy sectors around the world. This lead to the conclusion that this group is especially active in the following sectors:

  • ICS, Energy, government and media in Ukraine
  • ICS/SCADA companies worldwide
  • Energy companies worldwide

Kaspersky Lab has already reported on BlackEnergy-related DDoS attacks, as well as on their destructive payloads, Siemens equipment exploitation and router attack plugins. To learn more about this and other malicious programs, visit Securelist.com.

Kaspersky Lab products detect the various Trojans used by BlackEnergy as: Backdoor.Win32.Fonten.* and HEUR:Trojan-Downloader.Script.Generic.

More information about BlackEnergy APT and extended IOCs are available to customers of Kaspersky Intelligence Services. Contact intelreports@kaspersky.com.

Newly discovered BlackEnergy spear-phishing campaign targets Ukrainian entities

Kaspersky Lab’s Global Research and Analysis Team has discovered signs of previously unknown attacks by the Russian-speaking BlackEnergy APT group
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻