Malware based on open-source backdoor targeting Ukraine power industries

Researchers have detected a new malware attack campaign based on an open-source backdoor that is targeting the Ukrainian electric power industry.

In a blog post, ESET malware researcher Robert Lipovsky discusses how the attacks follow on the heels of another malware campaign recently spotted in Ukraine.

“Yesterday (January 19th) we discovered a new wave of these attacks, where a number of electricity distribution companies in Ukraine were targeted again following the power outages in December”

On December 23 last year, the Western Ukrainian power company Prykarpattyaoblenergo reported on outages that affected an area including the regional capital of Ivano-Frankivsk.

An investigation later determined that a variant of the BlackEnergy malware had caused “interference” in the working of the company’s systems, which may have led to the power interruption.

While some are calling this incident the first ever malware-caused power outage, others are more skeptical.

For instance, as noted by PCWorld, the SANS Industrial Control Systems (ICS) team published a post earlier this month in which they said that the malware only gave the attackers access to the systems at Prykarpattyaoblenergo and Kyivoblenergo, but did not cause the outage directly.

These concerns notwithstanding, BlackEnergy is still on the loose in Ukraine.

Just earlier this week, specialists of the State Service of Special Communications and Information Protection of Ukraine detected the malware on one of the workstations at Boryspil International Airport. That workstation was connected to the airport’s main IT network, which includes the airport’s air traffic control center.

It is no wonder, therefore, that Lipovsky and his fellow researchers were surprised to learn that BlackEnergy wasn’t the malware behind this latest attack on Ukraine’s electric power sector:

“What’s particularly interesting is that the malware that was used this time is not BlackEnergy, which poses further questions about the perpetrators behind the ongoing operation. The malware is based on a freely-available open-source backdoor – something no one would expect from an alleged state-sponsored malware operator.”

Even so, the attack mimics December’s BlackEnergy malware campaigns, which might suggest that the same actors are responsible for both incidents.

Lipovsky explains that the attack begins with a spearphishing email being sent to a victim, containing a malicious XLS file. As with the BlackEnergy campaigns, the email contains HTML content with a link to a .PNG file (what is known as a tracking pixel) located on a remote server. This ensures that the attackers will receive a notification when the email has been opened.

Clicking on the attachment opens a malicious Microsoft Office file that asks the victim to enable macros. The Trojan downloader then executes, loading up malware based on modified versions of an open-source gcat backdoor written in the Python programming language.

“This backdoor is able to download executables and execute shell-commands. Other GCat backdoor functionality, such as making screenshots, keylogging, or uploading files, was removed from the source code. The backdoor is controlled by attackers using a GMail account, which makes it difficult to detect such traffic in the network.”

Given the details of the attack, some are starting to wonder whether they were wrong in assuming that Russia was/is responsible for this recent series of malware campaigns. It goes without saying that attribution in these instances is extremely difficult. We must therefore be patient and wait until investigators are able to gather more evidence.

For the time being, however, the mystery continues with regards to who is targeting Ukraine.

flickr photo shared by readephotography under a Creative Commons ( BY-ND ) license

Found this article interesting? Follow Graham Cluley on Bluesky or Mastodon to read more of the exclusive content we post.

---