Researchers are pointing to a recently discovered malicious backdoor as a key piece of evidence that apparently links the actors who launched the 2017 NotPetya ransomware attacks with the malicious hackers who disrupted Ukraine’s power grid the year before.
The finding potentially helps to confirm ongoing suspicions among cyber experts that these notorious cyber incidents can traced back to the same group, ESET researchers Anton Cherepanov and Robert Lipovsky are reporting today in a company blog post.
While ESET itself does not reference Russia, it is commonly believed that the NotPetya incident that targeted Ukraine (but affected businesses globally) and the Industroyer malware attack that caused massive blackouts in Ukraine were both sanctioned by the Russian government. NotPetya is widely attributed to an APT actor called the TeleBots Group, aka the BlackEnergy Group or Sandworm – and now it seems that Industroyer could be its creation as well. (In makes sense, considering that the TeleBots group was already deemed responsible for an even earlier attack against the Ukraine power grid in 2015 using the BlackEnergy malware toolkit.)
The Telebots backdoor in question is a malicious software program, first uncovered last April, known as Win32/Exaramel. ESET reports the malware is capable of exfiltrating credentials using an updated version of the common TeleBots tool CredRaptor/PAI, a password stealer that swipes credentials from browsers along with Outlook and various FTP clients. Investigation of this malware also directly led to the discovery of a Linux version called Linux/Exaramel.A.
Delivered via a dropper into the Windows system directory, Win32/Exaramel arrives disguised as an antivirus program and is configured to target users according to the brand of security solution their machines use. ESET said this is just the first of several similarities with Industroyer backdoors, which also pretends to be AV solutions upon installation and also groups its victims by the security software they have installed.
In keeping with the AV ruse, Win32/Exaramel’s command-and-control servers have domain names that were created to sound like they belong to ESET, which sells AV and firewall products, including one previously used by the Linux version of Telebots malware.
ESET drew additional parellels between Win32/Exaramel and Industroyer, noting that “the code of [its] command loop and implementations of the first six commands are very similar to those found in a backdoor used in the Industroyer toolset.” Moreover, “Both malware families use a report file for storing the result output of executed shell commands and launched processes,” and “both backdoors set the ‘hStdOutput’ and ‘hStdError’ parameters to a handle of the report file.”
“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics,” ESET reports. “The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”