Malicious Code Analysis on Ukraine’s Power Grid Incident At the end of December 2015, the network system of Ukrainian power companies was attacked by hackers, leaving most areas of western Ukraine in the dark. Security Service of Ukraine (SBU) indicated that Russian spies had implanted malicious softwares in the State Grid which caused power plants shut down unexpectedly. A few days later, security teams overseas claimed that this incident was related to the BlackEnergy trojan and some malicious code samples had been acquired and analyzed.
Knownsec Security Team has followed up this incident ever since its happening. This report records the analysis and tracing process of the entire incident.
Sample Analysis
Knownsec Security Team has analyzed the 26 samples acquired by Tencent PC Manager Team. The samples are listed as follows:
A large number of public reports and analyses overseas mentioned an infected Excel document, the SHA-1 value of which is aa67ca4fb712374f5301d1d2bab0ac66107a4df1.
The file’s final modification time is 2015–03–17 06:41:04 UTC+0, shown as follows:
The document contains a macro virus, which will release .exe file and load execution once running:
The SHA-1 value of the released vba-macro.exe sample is 4c424d5c8cfedf8d2164b9f833f7c631f94c5a4c. Refer to sample analysis part for details.
72d0b326410e1d0705281fde83cb7c33c67bc8ca (VBS Script)
The malicious VBS script starts Dropbear SSH. The details are shown as follows:
The sample VBS script starts light-weighted SSH server and sets listening port 6789.
166d71c63d0eb609c4f77499112965db7d9a51bb (PE32 Dropbear Server)
The analysis result confirms the sample as a Dropbear server after second modification. Through further analysis, a backdoor is found in Dropbear, i.e., the modified Dropbear has two backdoor authentication processes.
The first uses a hardcoded username “user” and the corresponding hard-coded password “passDs5Bu9Te7” directly as the authentication account information:
The second is a hard-coded public key authentication process:
The hard-coded public key is found in the code:
16f44fac7e8bc94eccd7ad9692e6665ef540eec4 (PE32 KillDisk Component)
After analysis, we find the sample is a KillDisk component used to destroy the system disk data. The screenshot of the key part is as follows:
Due to the difference between 32-bit and 64-bit operating systems, the damage may vary. For a 32-bit operating system, the main damage is system disk formatting. While for a 64-bit operating system where the security level is higher, the main damage is deleting files in the system, which may incur execution errors. The key code is as follow:
The reboot will happen once the 64-bit environment runs the modified code. In this circumstance, normal Windows programs are unexecutable with the error message shown below. Besides, the background color will also turn into black.
f3e41eb94c4d72a98cd743bbb02d248f510ad925 (PE32 LocalServer)
Local service (LocalServer) is started upon analyzing and running this program. Once running with administrator privileges in the 64-bit system, the malware will use “cmd” to create and start the Application Service Manager:
The parameters of “cmd” are shown as follows:
LocalServer can be viewed in Windows Control Panel.
And a temporary file will also be generated:
In the above figure, the part framed by the red line is the release path. In addition, LocalServer will delete log files in order to hide its behaviors, shown as follows:
Besides, the files with extensions such as .CRT and .BIN will also be deleted, shown as follows:
Finally, malicious functions such as causing damage to programs and formatting system disk can be achieved.
4c424d5c8cfedf8d2164b9f833f7c631f94c5a4c (PE32 vba_macro.exe)
After running vba_macro.exe released by Excel macro virus, host information will be sent to the C&C server (IP address 5.149.254.114 indicates the location is somewhere in Holland) automatically through HTTP packages. By capturing package with Fiddler, we can see the behavior of sending requests to external networks:
This also includes Base64 coded information: Yl9pZD1CSU5MQUItUENfODUwQjEzNTgwOUM5MThFMURFQzI2M0I2QTI3OTdBNzAmYl9nZW49cmVsZWFzZSZiX3Zlcj0yLjImb3Nfdj03NjAxJm9zX3R5cGU9MQ==
As the server is non-responsive during the analysis process, the upcoming behaviors cannot be traced.
During further analysis, we find key string inputs of certain languages. So far, we still cannot determine whether special treatments of certain languages exist in the execution process.
This also includes a number of key string inputs indicating Japanese:
The malicious code will delete itself after execution:
Drivers
Among the 17 drivers, 8 are 32-bit based and 9 are 64-bit based. In the description of these drivers, we can see AMD IDE and USB MDM:
While monitoring the behaviors of these drivers, connection requests to an oversea server (IP address 88.198.25.92 indicates the location is somewhere in Germany) are found.
Combining public reports[1]and real sample analysis result, we can get the logical relationships as follows:
The above is Knownsec Security Team’s current sample analysis progress.
Attack Assumption
We can get the attack assumption combining public reports[2,3,4] in the Internet and the information collected ever since[5,6]:
1.Attackers use Office SandWorm (run with administrator access + CVE-2014–4114) to carry out watering hole attacks. The victim hosts will execute malicious code to interact with remote C&C servers. Some system information will be sent to C&C servers;
2.SandWorm (macro virus) performs malicious operations using the remote execution vulnerability (CVE-2014–0751) of Industrial Control HMI (Human Machine Interface). The aim is to carry out attacks within the internal network and access the Industrial Control HMI of GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC etc. so as to control the internal network directly;
3.Attackers use vulnerability to implant BlackEnergy into HMI;
4.The implanted BlackEnergy opens the Dropbear SSH backdoor and listens port 6789 so as to provide convenience to host communication;
5.Attackers start the Kill Disk component according to the plan and cause destructive influence by destroying (formating) host disks.
Related Resource Links
[1] https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
[4] https://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/
[5] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0751
[6] https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B
