Researchers at ESET detected a new wave of cyberattacks on power plants in the Ukraine that use different malware than in previous attacks.
While an attack in December that knocked out power to 700,000 customers was found to employ the BlackEnergy malware, this latest assault takes a different strategy. The malware, they stated, is "based on a freely-available open-source backdoor – something no one would expect from an alleged state-sponsored malware operator."
so apparently some of the code from Gcat that I wrote was used to shutdown a power plant in Ukraine https://t.co/yjdoGelrZS
— byt3bl33d3r (@byt3bl33d3r) January 21, 2016
Attackers sent out spearphishing emails earlier in the week that contained an attachment with a malicious XLS file. Embedded in the HTML was a link to a .PNG file residing on a remote server that alerted attackers that the message was delivered and opened by the target.
Clicking on the macro initiated the install of a malicious trojan-downloader that tried to download and execute the final payload from a remote server based in the Ukraine.
However, while the ESET researchers said they expected to observe BlackEnergy as the final payload, instead attackers used "modified versions of an open-source gcat backdoor written in the Python programming language." The python script was then translated into a standalone executable using the PyInstaller program.
This backdoor is capable of downloading executables and executing shell-commands and is controlled by attackers using a GMail account, which, the researchers stated, makes it difficult to detect.
While many suspect nation-state actors at work, owing to the political volatility of the situation between Ukraine and Russia, ESET warns there is not yet any conclusive evidence as to who is behind the cyberattacks.