OREANDA-NEWS. February 01, 2016. Kaspersky Lab Global Research and Analysis Team has discovered signs of previously unknown attacks by the Russian-speaking BlackEnergy APT group. A spear-phishing document found by the company’s experts mentions the far-right Ukrainian nationalist political party “Right Sector” and appears to have been used in an attack against a popular television channel in Ukraine.

BlackEnergy is a highly dynamic threat actor and the latest attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and cyber-espionage activities. Initially a user of DDoS crimeware, BlackEnergy expanded into a large collection of tools. These have been used in various APT-type activities, including geopolitical operations, such as a wave of attacks on several critical sectors in Ukraine at the end of 2015.

Despite the fact that it has been uncovered multiple times, the BlackEnergy actor continues its activities and poses significant danger. 

Since mid-2015, the BlackEnergy APT group has been actively using spear-phishing emails carrying malicious Excel documents with macros to infect computers in a targeted network. However, in January of this year, Kaspersky Lab researchers discovered a new malicious document which infects the system with a BlackEnergy Trojan. Unlike the Excel documents used in previous attacks, this was a Microsoft Word document.

Upon opening the document, the user is presented with a dialog recommending that macros are enabled in order to view the content. Enabling the macros triggers the BlackEnergy malware infection.

Once activated inside a victim’s computer, the malware sends basic information about the infected machine to its command and control (C&C) server. One of the fields in the C&C connection sent by the malicious program contains a string which seems to refer to the victim ID. The document analyzed by Kaspersky Lab researchers contained the identifier “301018stb,” where “stb” could refer to the Ukrainian TV station “STB.” This TV station was previously named as a victim of the BlackEnergy Wiper attacks in October 2015.

Following the infection, additional malicious modules can be downloaded. Depending on the version of Trojan used, the functions of such additional payload may vary, ranging from cyber-espionage to data wiping.

“In the past, we’ve seen the BlackEnergy group target entities in Ukraine using Excel and PowerPoint documents. The use of Word documents was also expected so this confirms our suspicions. In general, we are seeing the use of Word documents with macros becoming more popular in APT attacks. For instance, recently we observed the Turla APT group using documents with macros to launch a similar type of attack. This leads us to believe that many of these attacks are successful and that this is why their popularity is increasing,” said Costin Raiu, Director of Global Research & Analysis Team at Kaspersky Lab.

The BlackEnergy APT group captured Kaspersky Lab’s attention back in 2014 when it began deploying SCADA-related plugins against victims in the ICS and energy sectors around the world. This lead to the conclusion that this group is especially active in the following sectors:

  • ICS, Energy, government and media in Ukraine
  • ICS/SCADA companies worldwide
  • Energy companies worldwide

Kaspersky Lab has already reported on BlackEnergy-related DDoS attacks, as well as on their destructive payloads, Siemens equipment exploitation and router attack plugins. To learn more about this and other malicious programs, visit Securelist.com.

Kaspersky Lab products detect the various Trojans used by BlackEnergy as: Backdoor.Win32.Fonten.* and HEUR:Trojan-Downloader.Script.Generic.

More information about BlackEnergy APT and extended IOCs are available to customers of Kaspersky Intelligence Services. Contact intelreports@kaspersky.com.