Ukrainian companies have long been among their preferred targets; particularly ICS\/SCADA companies, energy suppliers, and also the media. As though deliberately working against the tide; rather than favoring Java and Adobe Flash exploits like most of today\u2019s attackers, the attackers prefer to deliver their infections into the confines of the targets\u2019 defensive perimeter using Microsoft Office files.<\/p>\n
A typical specimen of their .docx lure, for example, referred to a popular news topic \u2013 \u00a0the \u2018Pravii Sektor\u2019 (the Right Sector) political party \u2013 and appeared to be targeting a specific TV\/media company.<\/p>\n
The file contained an embedded macro, which puts together and runs a typical BlackEnergy dropper. To successfully execute this script in the files, the macros execution in MS Word must be enabled. So once the file was clicked on, a Microsoft Word dialogue prompted the user to enable macros in order to open it. This, the dialog stated, was because the file had been created using a later version of MS Office. This makes for a particularly successful lure in geographic regions where adoption rates for the latest software versions are low.<\/p>\n
![\"2\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/01\/06020428\/2.png\")
<\/p>\n
After successful execution, the dropper would unpack the final payload, which was launched and set for autorun.<\/p>\n
At this stage, after receiving commands from the Command & Control server, the main module, serving mostly as a downloader, would start downloading the appropriate auxiliary modules, capable of searching and syphoning off data and\/or wreaking havoc within the target\u2019s infrastructure.<\/p>\n
One of BlackEnergy\u2019s most popular methods of inflicting damage is extensive data wiping. For this, they have added to their arsenal a new wiper \u2013 much more advanced than their previous disk level model \u2013 which can selectively wipe different types of data without needing administrative privileges.<\/p>\n
Say \u2018No\u2019 to Destruction!<\/h2>\n
The malware used by BlackEnergy seems particularly well-tested against their targets\u2019 security systems, so their operations have a relatively high success rate. Hence the necessity to be especially thorough yourself when building \u2013 or adjusting \u2013 your IT security Strategy.<\/p>\n
Clearly, employing a standard anti-malware solution is not enough. To significantly reduce the risk of serious damage to your business, you must implement a multi-layered system. The well-known Mitigation Strategies<\/a> Rankings issued by the Australian Signal Directorate (ASD) specifically state that a complex approach is needed. Such an approach would combine administrative, OS and network-based measures \u2013 as well as specialized technological measures addressing individual layers of your IT infrastructure.<\/p>\n And, of course, with a serious adversary like BlackEnergy, you need to leverage leading-edge technologies backed by proven Security Intelligence. Kaspersky Lab\u2019s portfolio of solutions helps implement 19 of the 35 Mitigation Strategies suggested by the ASD. And the majority of these can be covered by one feature-rich product \u2013 Kaspersky Endpoint Security for Business Advanced<\/a>.<\/p>\n This security platform provides not only a web of pioneering detection technologies \u2013 but also additional security layers, including Security Controls and Vulnerability Assessment\/Patch Management. Application Control<\/a> features, powered by our cloud-based dynamic allowlists and supporting a Default Deny scenario, are particularly applicable to the industrial sector, preventing the launch of untrusted applications (including malware) while leaving the working environment unchanged. Such controls are listed, along with Vulnerability\/Patch Management, as among the Top 4 Mitigation Strategies responsible for prevention of 85% of Incidents connected with Targeted Attacks.<\/p>\n Given the BlackEnergy\u2019s habit of using email-based spear-phishing, deployment of Kaspersky Security for Mail Server<\/a> would create an additional powerful barrier to infection. And educating your staff, through Kaspersky Cybersecurity Awareness training<\/a>, not to open every interesting-looking document they receive, can protect against a vast number of threats, as well as those posed by those committed destructors.<\/p>\n While the attackers may be inventive and highly experienced, planning your IT security Strategy proactively\u00a0 can clearly give you the upper hand against them \u2013 with the help of ever-inventive cybersecurity pioneers: Kaspersky Lab.<\/p>\n