Ukraine energy utilities attacked again with open source Trojan backdoor
Macro phish attempts to hook BlackEnergy borscht and battered sector
Battered Ukrainian electricity utilities are being targeted with backdoors in attacks possibly linked to those fingered for recent blackouts.
The phishing attacks are attempting to get backdoors installed on utility company computers using techniques similar to those seen in the BlackEnergy attacks.
BlackEnergy ripped through Ukrainian utilities in what is largely considered the cause of mass power outages on 23 December in the Prykarpattya Oblenergo and Kyivoblenergo utilities.
Power was cut to some 80,000 customers for six hours and Ukraine's nation's security service has pointed the finger at the Kremlin.
Now the utilities are being served malicious Microsoft XLS files, which attempt to execute the open source GCat backdoor, a technique that has been used in many other attacks.
ESET threat man Robert Lipovsky says users are urged to execute macros and will be served with a Trojan downloaded from a remote server. "This backdoor is able to download executables and execute shell-commands," Lipovsky says.
"Other GCat backdoor functionality, such as making screenshots, keylogging, or uploading files, was removed from the source code.
"The backdoor is controlled by attackers using a Gmail account, which makes it difficult to detect such traffic in the network."
Lipovsky says the attacks should not necessarily be blamed on Russia, nor with complete certainty on any actor.
Many researchers are working in tandem on threat intelligence and forensics in the wake of the Ukrainian BlackEnergy attacks.
The latest campaign follows a the compromise of Kiev airport by the BlackEnergy malware. ®