The "energy" Trojan BlackEnergy is introduced through a vulnerability in Microsoft Office 2013

Photo: csoonline

Information security specialists from SentinelOne have discovered a new tactic for spreading malware malware by BlackEnergy, attacking SCADA systems throughout Europe. The latest version of this software is distributed with Microsoft Office, and the calculation is made on inattentive and careless employees of power companies, which bring the malware.

The latest version of malware is called BlackEnergy 3, and this is the same software that was used to attack the energy systems of Ukraine. A team of experts from SentinelOne carried out reverse engineering of malware and found signs that this software is being distributed in the manner described above.

BlackEnergy 3 exploits the Office 2013 vulnerability that was fixed some time ago, so it can only work on machines with no patch, or where an employee of the company opens an infected Excel document.
')
The likelihood that outdated software is used in energy companies is small, so the main “source” of malware penetration into the enterprise is still its employees, voluntarily or unwittingly.

“Vulnerability CVE-2014-4114, in OLE Packer 2 (packager.dll), is now used. In addition, each executable file was created using compilers of different versions, which allows us to talk about the involvement of different groups in this campaign - about the same as in the case of the R & D project in which several teams work. And in the ready software there are several unique prints of each group, ”the researchers report says.

The conclusion is the following: BlackEnergy is already working in many Ukrainian systems, as well as in the power systems of European countries. If this is true, malware can be used to create blackouts and other problematic situations, at the most unexpected time.

The full problem report is available here .