Attackers believed to be residing in Russia have spread a Trojan file through spearphishing emails that contained malicious Microsoft Word documents, according to security researchers at Kaspersky Lab.
The malicious file allegedly originated from the offshoot of malware campaigns that were launched against Ukraine in 2013, and the Trojan called BlackEnergy will be executed by a script in the malicious Word document. It would be hard for unsuspecting users to detect the malicious nature of the document because it perfectly takes on the form of an ordinary Microsoft Word document.
The BlackEnergy Trojan is built to send information about your computer to a malicious command and control server run by the attackers. This not the first time, however, that hackers took advantage of a vulnerability in the Microsoft Office suite. Last year, Russian hackers also exploited Microsoft Excel and Powerpoint documents to launch their malware campaign.
Like those previous exploits that targeted institutions in Ukraine, the new Microsoft Word malware has been used to hit a television station in the country with the use of a trick. Security researchers suspected that an employee or someone inside the TV station was lure into clicking a document sent via a spearphishing email. The attachment reportedly contained information about a political party in Ukraine as a pretext. In fact, the document contained the BlackEnergy Trojan.
Researchers that looked into the Microsoft Word document for analysis found the server that communicated with the file has limited IP connection, though the command and server connection is in the request field. This request field contained the name of a television station based in Kiev, which Russia annexed in 2014. Also last year, the TV network was reported to be a victim of attacks perpetrated through the BlackEnergy Wiper.
It is not impossible for the BlackEnergy group to shift their focus on Microsoft Word documents as the attack vector because they have attacked Ukraine in the past using other Microsoft Office tools, according to the researchers.
Worse, fresh reports had it that attacks launched through the BlackEnergy malware have now spread across the industrial control systems in Ukraine. The malware largely depends upon a flaw in Office 2013. It is quite dated now, so we can expect that patches for the flaw have been rolled out before. That means machines that did not receive the fix could have the malware executed in them remotely.
The Industrial Control System Cyber Emergency Response Team of the U.S. also reported having found the BlackEnergy in a number of companies including Siemens last year, suggesting the massive infection of the malware.