BlackEnergy hackers, who managed to successfully compromise the Ukrainian energy system and cut off the light at several local utilities, are likely behind a new series of cyberattacks targeting banks.
Security company ESET reveals that it discovered a new group called TeleBots whose modus operandi is very similar to the one of BlackEnergy. TeleBots are primarily targeting Ukrainian banks, the firm says, and use spear-phishing emails that include malicious Excel documents to infect computers.
The Excel documents come with macros that automatically download malware on the target machines when executed, and allows the attackers to further infect systems, infiltrate into the whole network, steal documents and passwords, and extract pretty much any information they want from the computers.
“The main purpose of the macro is to drop a malicious binary using the explorer.exe filename and then to execute it. The dropped binary belongs to a trojan downloader family, its main purpose being to download and execute another piece of malware. This trojan downloader is written in the Rust programming language,” ESET explains.
Systems are infected with a backdoor flagged as Python/TeleBot.AA and which is very similar to the Trojan used by BlackEnergy in its previous attacks against Ukraine.
Eventually, attackers also deploy KillDisk, which is a destructive malware that renders the operating system unbootable and which is once again similar to the one used against power grid companies in Ukraine.
Once it infects a system, KillDisk deletes system files and registers itself as a service, changing the boot screen with a picture from Mr. Robot TV show.
“Interestingly, the KillDisk malware does not store this picture anywhere: rather it has code that draws this picture in real-time using the Windows GDI. It looks like attackers put a lot of effort just to make the code that draws this picture,” ESET points out.