Attackers use the Gcat backdoor for cyber attacks on Ukrainian energy companies

    Earlier, we described the details of malicious campaigns that were directed against such enterprises in western Ukraine [ 1 , 2 ]. In these cyber attacks, cybercriminals used the BlackEnergy Trojan and a special KillDisk component to disable compromised systems. They also resorted to the Win32 / SSHBearDoor.A backdoor to manage such systems through SSH.



    On January 19, we managed to record new cyberattacks on energy companies in Ukraine. Several such companies specializing in electricity supplies were attacked again, after a series of previous cyber attacks and blackouts in December.

    The cyber attack scenario is very similar to past BlackEnergy incidents and has not undergone significant changes. Attackers use a phishing email message that is sent to the victim’s address and contains a malicious .xls file as an attachment.


    Fig. A phishing email message that was used for a malicious campaign.

    A phishing message or email contains HTML data with a link to a .PNG file located on a remote server, thus attackers implement a mechanism for notifying delivery of content to an alleged victim. A similar mechanism has been used in past cyber attacks using BlackEnergy.


    Fig. The HTML data section that specifies the PNG file address on the remote server.

    The name of this PNG file is the base64 encoded string " mail_victim's_email ".


    Fig. Appearance of the so-called decoy-document (bait).

    The bait document above contains a malicious macro that is similar to that used in past BlackEnergy cyber attacks. Using social engineering techniques, the macro attempts to trick the victim into sabotaging the Microsoft Office Security Warning. The text of the message translated from Ukrainian sounds like: " Warning! This document was created in a newer version of Microsoft Office. The macros contained in it are necessary to display the contents of the document. "

    Successful execution of the macro leads to the launch of malware, which is a bootloader or downloader. It tries to download the payload executable file from a remote server and execute it.


    Fig. Part of the bootloader code.

    The downloadable payload is located on a server from Ukraine. The server was dismantled after our appeal to the organization CERT-UA and CyS-CERT.

    As a payload of the bootloader, we expected to see the BlackEnergy trojan, however, this time, for the cyber attack, the attackers chose another malicious program. They used a modified open source backdoor called gcat for this., which is written in the famous Python scripting programming language. The backdoor source has been compiled into an executable file using the PyInstaller tool .


    Fig. GCat backdoor source code obfuscated.

    The backdoor specializes in loading other executable files into the compromised system and executing commands of the command line interpreter (shell). Other backdoor functions, such as taking screenshots, capturing keyboard keystrokes (keylogger), sending files to a remote server, were deleted from it. The backdoor was controlled by attackers using a Gmail account, which complicates the detection of its malicious traffic on the network.

    ESET Antivirus Products Detect Threat Files As:

    VBA / TrojanDropper.Agent.EY
    Win32 / TrojanDownloader.Agent.CBC
    Python / Agent.N


    Conclusion

    Our studies of the cyber attacks mentioned above and published materials have received wide media attention. This was due to two reasons.

    • Most likely, this is the first successful case of using cyber attacks in order to mass blackout.
    • Based on the opinions of some security companies, many well-known media outlets have pointed to Russia as the source of such state-sponsored cyberattacks (BlackEnergy aka Sandworm, aka Quedagh).

    The first point served as a starting point for various debates about whether the power outage was a direct impact of the malware or if it simply provided remote access to attackers who performed the necessary operations with their own hands. Although there are obvious technical differences in both methods of sabotage, the result of their activities comes down to one.

    The second point is even more controversial. As we have already indicated before, blaming responsibility for carrying out a cyber attack on a particular state or cyber group can be done only if there is indisputable evidence from which such a conclusion can be drawn. At present, we do not have any evidence that would indicate who is behind their implementation. Obviously, an attempt to link these cyber attacks with the current political situation may lead us to the wrong conclusions.

    Indicators of compromise

    IP address:
    193.239.152.131
    62.210.83.213

    Identifier SHA-1 of malicious XLS file:
    1DD4241835BD741F8D40BE63CA14E38BBDB0A816

    Identifiers of SHA-1 malicious executable files:
    920EB07BC8321EC6DE67D02236CF1C56A90FEA7D
    BC63A99F494DE6731B7F08DD729B355341F6BF3D

    Also popular now: