ESET researchers spotted a unique malicious toolset that was used in targeted cyberattacks to sabotage high-value entities in the Ukrainian financial sector during the second half of 2016.
Researchers believe the group, dubbed “TeleBots,” evolved from the BlackEnergy group since the toolset used in the attacks share a number of similarities with the group, according to a Dec. 13 blog post.
The malicious tools include a Python/TeleBot.AA backdoor, password stealing tools which include a keylogger, a LDAP query tool, a BCS-server tool, additional backdoors, and a destructive component dubbed KillDisk.
The TeleBots group uses spearphishing emails, attaching Microsoft Excel documents containing malicious macros, in order to drop a malicious binary. The ultimate goal of the macros payload is to download other malware that installs a backdoor which is detected as the Python/TeleBot.AA trojan, the main piece of malware used by the attackers.
The Python/TeleBot.AA backdoor abuses the Telegram Bot API from the Telegram Messenger application to communicate with the attackers. Researchers spotted at least one sample of this backdoor that uses an outlook.com mailbox as its C&C.
The LDAP query tool collects detailed information about computers and usernames listed in Active Directory and
tthe password stealing tools collect saved passwords from various browsers such as Google Chrome, Internet Explorer, Mozilla Firefox, and Opera, researchers said in the report.
The BCS-server tool allows the attackers to open a tunnel into an internal network that can be used to send and receive data between the C&C server and even non-infected computers in the network.
The KillDisk component is used in the final stages of the attack to delete important system files and make computers unbootable. This component also displays a logo referencing the “F Society” from the Mr. Robot TV show to taunt the victim.
“The cybercriminals behind these targeted attacks demonstrate serious intention to conduct cybersabotage attacks,” researchers said in the post. “To be able to mount such attacks, they are constantly inventing new malware and techniques, such as the use of the Telegram Bot API instead of a more conventional C&C server for example.”