BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry

Update: In case you want to have a more simplified version of this article, please check out BlackEnergy trojan strikes again: Attacks Ukrainian electric power industry.

The cybercriminal group behind BlackEnergy, the malware family that has been around since 2007 and has made a comeback in 2014 (see our previous blog posts on Back in BlackEnergy *: 2014 Targeted Attacks in Ukraine and Poland and BlackEnergy PowerPoint Campaigns, as well as our Virus Bulletin talk on the subject), was also active in the year 2015.

ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry. In this blog, we provide details on the BlackEnergy samples ESET has detected in 2015, as well as the KillDisk components used in the attacks. Furthermore, we examine a previously unknown SSH backdoor that was also used as another channel of accessing the infected systems, in addition to BlackEnergy.

We continue to monitor the BlackEnergy malware operations for future developments. For any inquiries or to make sample submissions related to the subject, contact us at:

BlackEnergy evolution in 2015

Once activated, variants of BlackEnergy Lite allow a malware operator to check specific criteria in order to assess whether the infected computer truly belongs to the intended target. If that is the case, the dropper of a regular BlackEnergy variant is pushed to the system. The exact mechanism of infection by BlackEnergy is described in our Virus Bulletin presentation and this whitepaper by F-Secure.

The BlackEnergy malware stores XML configuration data embedded in the binary of DLL payload.

Figure 1 – The BlackEnergy configuration example used in 2015

Figure 1 – The BlackEnergy configuration example used in 2015

Apart from a list of C&C servers, the BlackEnergy config contains a value called build_id. This value is a unique text string used to identify individual infections or infection attempts by the BlackEnergy malware operators. The combinations of letters and numbers used can sometimes reveal information about the campaign and targets.

Here is the list of Build ID values that we identified in 2015:

  • 2015en
  • khm10
  • khelm
  • 2015telsmi
  • 2015ts
  • 2015stb
  • kiev_o
  • brd2015
  • 11131526kbp
  • 02260517ee
  • 03150618aaa
  • 11131526trk

We can speculate that some of them have a special meaning. For example 2015telsmi could contain the Russian acronym SMI – Sredstva Massovoj Informacii, 2015en could mean Energy, and there’s also the obvious “Kiev”.

KillDisk component

In 2014 some variants of the BlackEnergy trojan contained a plugin designed for the destruction of the infected system, named dstr.

In 2015 the BlackEnergy group started to use a new destructive BlackEnergy component detected by ESET products as Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD trojan variants.

The main purpose of this component is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable.

The first known case where the KillDisk component of BlackEnergy was used was documented by CERT-UA in November 2015. In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents were destroyed as a result of the attack.

It should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and delete. The complete list contains more than 4000 file extensions.

Figure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB

Figure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB

The KillDisk component used in attacks against energy companies in Ukraine was slightly different. Our analysis of the samples shows that the main changes made in the newest version are:

  • Now it accepts a command line argument, to set a specific time delay when the destructive payload should activate.
  • It also deletes Windows Event Logs : Application, Security, Setup, System.
  • It is less focused on deleting documents. Only 35 file extensions are targeted.
Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component

Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component

As well as being able to delete system files to make the system unbootable – functionality typical for such destructive trojans – the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems.

Once activated, this variant of the KillDisk component looks for and terminates two non-standard processes with the following names:

  • komut.exe
  • sec_service.exe

We didn’t manage to find any information regarding the name of the first process (komut.exe).

The second process name may belong to software called ASEM Ubiquity, a software platform that is often used in Industrial control systems (ICS), or to ELTIMA Serial to Ethernet Connector. In case the process is found, the malware does not just terminate it, but also overwrites the executable file with random data.

Backdoored SSH server

In addition to the malware families already mentioned, we have discovered an interesting sample used by the BlackEnergy group. During our investigation of one of the compromised servers we found an application that, at first glance, appeared to be a legitimate SSH server called Dropbear SSH.

In the order to run the SSH server, the attackers created a VBS file with the following content:

Set WshShell = CreateObject(“WScript.Shell”)
WshShell.CurrentDirectory = “C:\WINDOWS\TEMP\Dropbear\”
WshShell.Run “dropbear.exe -r rsa -d dss -a -p 6789”, 0, false

As is evident here, the SSH server will accept connections on port number 6789. By running SSH on the server in a compromised network, attackers can come back to the network whenever they want.

However, for some reason this was not enough for them. After detailed analysis we discovered that the binary of the SSH server actually contains a backdoor.

Figure 4 – Backdoored authentication function in SSH server

Figure 4 – Backdoored authentication function in SSH server

As you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password passDs5Bu9Te7 was entered. The same situation applies to authentication by key pair – the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used.

Figure 5 – The embedded RSA public key in SSH server

Figure 5 – The embedded RSA public key in SSH server

ESET security solutions detect this threat as Win32/SSHBearDoor.A trojan.

Indicators of Compromise (IoC)

IP addresses of BlackEnergy C2-servers:

XLS document with malicious macro SHA-1:

BlackEnergy Lite dropper SHA-1:

BlackEnergy Big dropper SHA-1:

BlackEnergy drivers SHA-1:

KillDisk-components SHA-1:

VBS/Agent.AD trojan SHA-1:

Win32/SSHBearDoor.A trojan SHA-1:

Picture credits: ©flickr/tanozzo

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.