BlackEnergy “energy” Trojan introduces vulnerability in Microsoft Office 2013
Information security experts from SentinelOne have discovered a new tactic for spreading malware malware on BlackEnergy, which attacks SCADA systems throughout Europe. The latest version of this software is distributed together with Microsoft Office, and the calculation is made on the inattentive and careless employees of energy companies who bring the malware.
The latest version of malware is called BlackEnergy 3, and this is the same software that was used to attack the energy systems of Ukraine. A team of specialists from SentinelOne reverse-engineered malware and found signs that this software is distributed in the manner described above.
BlackEnergy 3 exploits vulnerabilityOffice 2013, which was fixed some time ago, so it can only work on machines where there is no patch, or where a company employee opens an infected Excel document.
The likelihood that energy companies use outdated software is low, therefore the main "source" of malware entry into the enterprise is still its employees - voluntarily or involuntarily.
“The vulnerability CVE-2014-4114 is now used in OLE packer 2 (packager.dll). Moreover, each executable file was created using compilers of different versions, which allows us to talk about involving different groups in this campaign - about the same as in the case of the R&D project, in which several teams work. And in the finished software there are several unique fingerprints of each of the groups, ”the researchers said in a report.
The conclusion is as follows: BlackEnergy already works in many Ukrainian systems, as well as in the energy systems of European countries. If this is true, malware can be used to create blackouts and other problematic situations, at the most unexpected time.
A full report on the problem is available here .