The BlackEnergy Trojan has resurfaced in Ukraine, where hackers have used it to cause power outages.
Originally conceived as a relatively simple tool to conduct distributed denial of service (DDoS) attacks in 2007, it has evolved into a sophisticated piece of malware with a modular architecture.
In 2014, security researchers at Eset reported that BlackEnergy had been used for espionage in Ukraine and Poland right up until August.
Just over a year later, Eset researchers found that BlackEnergy was used as a backdoor to deliver a destructive component in attacks against power and media companies in Ukraine.
On 23 December 2015, about half of the homes in Ukraine’s Ivano-Frankivsk region were left without electricity for several hours.
According to Ukrainian news media outlet TSN, the cause of the outage was a “hacker attack”.
Eset researchers said in a blog post that the company’s telemetry systems indicate that the outage was not an isolated incident and that cyber criminals targeted other Ukrainian energy companies at the same time.
In the attacks, they say a “KillDisk” component designed to destroy targeted systems was downloaded and executed on computers previously infected with BlackEnergy.
The link between BlackEnergy and the KillDisk component was first reported by CERT-UA in November 2015, when a number of news media companies were attacked at the time of the 2015 Ukrainian local elections.
The report claims that a large number of video materials and various documents were destroyed through the attacks.
According to the Eset researchers, the attackers typically send the target organisation a spear-phishing email that contains an attachment with a malicious document.
Ukrainian security company CyS Centrum published two screenshots of emails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to the Ukrainian parliament.
The document usually contains text designed to persuade the victim to run the macro in the document using social engineering.
Once the macro runs, the victims’computers are infected with BlackEnergy Lite, a variant of the BlackEnergy Trojan.
The KillDisk component used against the Ukrainian media companies was focused on destroying various types of files and documents.
However, Eset researchers found that the KillDisk component used in attacks against energy companies in Ukraine was slightly different.
According to Eset’s analysis, the main changes in the newest version are that it now accepts a command line argument to set a specific time delay when the destructive payload should activate.
It also deletes Windows Event Logs and deletes only 35 file extension types compared with more than 4,000 file extension types in the attacks against the Ukrainian media companies.
The KillDisk component detected in the electricity distribution companies also contains functionality specifically intended to sabotage industrial control systems by overwriting executable files with random data.
The Eset researchers said they will continue to monitor the BlackEnergy malware operations for future developments……………………………………..