It is continuing… attack against Ukraine national power company

Jan 28 2016

Background:

Ukraine electric grid power outage caused by Trojan attack captured striking worldwide attentions. It is the first incident that a national critical infrastructure systems were “successfully” taken down by malware attack. Almost half of homes (population around 1.4M) in Ivano-Frankivsk areas in Ukraine experienced blackout for a few hours on December 23 2015, a day before Christmas eve. This is a loud and horrified wake up call for industry control security. ThreatBook Labs have been monitoring this attacking threat family closely. On Jan 2016, we captured a new attack against Ukraine national power company. Different from the previous BlackEnergy attack against Ukraine electric grid happened during December, the new wave of attack doesn’t utilize the same malware.

How - Attack vector:

The attack comes via spear phishing email channel. A mal-crafted Excel file named Ocenka.xls with malicious macro embedded arrived system as the email attachment.

The attack started on January 19, 2016 afternoon. At Ukraine local time 16:51 and 16:56, a sender claimed to be "Ukrenergo" sending an e-mail to ikc@obl.ck.energy.gov.ua and sp@rdc.centre.energy.gov.ua. Attack messages from time zone (UTC-08: 00), the attacker disguised as state-owned power company from Ukraine UKrenergo, attacking targets are consulting department at the Ukrainian power companies Cherkasyoblenergo Cherkasy and the state-owned power company Ukrenergo subsidiaries Central EnergySystem of SE 's Kondrashov Alexander, whose job is sub-station director (Chief of substations of Central ES).

The email body contains an PNG file which is hosted in remote server 62.210.83.213. It is used to report email delivery status.

The email message is written in Ukraine. It says via online translation:

“ The Law of Ukraine "On principles of functioning electricity market of Ukraine" and "Order preparation system operator development plan of the United Energy Systems of Ukraine for the next ten years", approved by the Ministry of Energy and Coal Industry of Ukraine of 29.09.2014 № 680 system operator was developed and posted on the official website of the project "Development Plan UES of Ukraine for 2016 - 2025 years."

Draft Development Plan is annexed to the letter.

Pursuant to the provisions of paragraph 5 of the Procedure preparation January 20, 2016 at 14-00 in administrative indoors 750 kV "Kiev" (Kiev region, Makarov district, p. Nalyvaykivka st. October, 112-B) will be held public hearings and consultations on the draft Development Plan.”

When the attachment is clicked, the excel file will be open. The message in excel is in Ukraine.

It says according to google translation:

“Assessment of generating capacity and the need for its optimization”

“UES Ukraine combines the parallel operation of thermal, nuclear, hydraulic, wind and solar power plants with total installed capacity, which as of 12.31.2015-year amount to 55,468 MW (excluding power generation facilities of SEZ "Crimea ").”

The pop up alerting message tries to lurk user to enable macro execution which is disabled as default setting in Microsoft Office.

“Attention! This document was created in a newer version of Microsoft Office. Macros need to display the contents of the document”

What – Malicious Payload Analysis

After macro is enabled by user, the embedded malicious macro is executed. A Trojan Downloader named as test_vb.exe is dropped, saved and executed from system %TEMP%. The macro source name is “ЭтаКнига” in Russian means “This book”.

After test_vb.exe is executed, it attempts to download program from http://193.239.152.131/8080/templates/compiled/synio/root.cert, and save it as iesecurity.exe under %appdata% folder, then execute it.

iesecurity.exe is a backdoor, it is a customized version from open source gcat (https://github.com/byt3bl33d3r/gcat) which is written in python and converted into executable PE file via PythonInstaller program.

Gcat backdoor uses gmail as command and control server, issue instruction to client. The controller’s email in this attack is Stefan.wlkii@gmail.com. Our testing result shows that this email account seems to have been closed by google.

The customized backdoor can perform remote execute supplied shellcode in a client, download file and force a host check in as requested.

ThreatBook Labs have been tracking and monitoring BlackEnergy cybercriminal group and its related attacks. We will keep updating what we find via our Threat Intelligence Analysis Platform https://x.threatbook.cn/tag/BlackEnergy

返回Blog首页