1/13/2016 Update: The blog has been updated to reflect the translation of the BlackEnergy word document.

On January 4th, ESET released an amazing blog post about the BlackEnergy Trojan being used to attack power companies in the Ukraine to knock out the power in some areas. While this is not the first time we’ve seen cyber attacks become kinetic, the BlackEnergy attacks could have been prevented.

The BlackEnergy family of malware has been around for sometime. When it came onto the scene, it made many researchers nervous, as it had the capability to attack critical infrastructure, though it wasn’t observed to have done so at the time. There are ties back to Sandworm, used in 2013 to target NATO, and given the geo-political tensions between the Ukraine and Russia (including malware artifacts from Dyre), many researchers are pointing to Russia for the BlackEnergy attacks.

While attribution helps to paint a picture of your attacker, it means nothing in the bigger picture of “how do I stop it.” Given the scale of the attack, what the attackers wanted, how does one go about preventing multi-million dollar government sponsored cyber attacks against your infrastructure? Attack the kill chain.

The stages of a cyber attack are reconnaissance (information gathering), weaponization (putting the malware / exploit together), delivery (sending it), and too late. This later stage involves things like exploitation (where a user clicks it), installation (where malware is installed to the system), command and control (where the attacker can interact with your system), and finally exfiltration, or whatever else an attacker wants to do with your stuff. We’re going to look at the delivery phase.

ESET mentions that BlackEnergy uses excel files with macro-based attachments to deliver the malware. Here’s a screenshot:


Figure 1. Screenshot of BlackEnergy phishing attachment, from ESET

1/13/2016 Update: For translation purposes, the language is Ukranian, translating to “This document was created in new version of Microsoft Office You need to turn on macros to see the document.” “SAMPLE”. It’s also worth noting the close wording of Dridex word documents, as well as the use of gradients as text backgrounds. 


Figure 2. Dridex macro with similar wording. Image from Proofpoint

But if a user received this phishing email, how many clicks does it take to get the juicy center of an enterprise?

  1. User opens email, is able to read the body (is there anything phishy? Who’s the sender? Why are you getting this email?)
  2. User double-clicks attachment (should have stopped at step one)
  3. User clicks Enable Content (Stop, don’t!)
  4. Microsoft security warning from Office comes up, telling user to not open macros (It’s a trap!)
  5. User clicks to allow said attachments, ignoring first four signs of pwnage (….)

And instead of reporting the suspicious activity, the user just huffs it off like nothing happened. Attackers of all shapes and sizes have used macros to deliver malware, and there are two ways to deliver malware to a user through a phishing email. Only two. Attachments and links. And with only a finite number of ways to attack via phishing…why are people still opening attachments?

87% of users who open phishing emails open them on the first day they receive them. While this seems like a large percentage, keep in mind that well-trained employees give you an early warning to malware samples that may more than likely bypassed (insert your AV vendor here). And of that 87%, you’re moving detection all the way from “why are the lights out in this city” to “there’s some malicious file, let’s analyze it”. And in many cases…we see users reporting the suspicious phishing emails…before another employee opens them.

To help protect enterprises, users can download a copy of our Yara signature here for detecting macros inside of office documents. We posted this rule in February of 2015, but is worth mentioning again, since macros with word documents seemed to be the “exploit” of choice of 2015.