Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Use Microsoft Office To Push BlackEnergy Malware (csoonline.com)

Posted by timothy on from the but-most-office-machines-are-up-to-date dept.

itwbennett writes: Researchers at SentinelOne reverse engineered the latest variant of the BlackEnergy 3 rootkit (the same malware used in recent attacks against Ukraine's critical infrastructure) and found indicators that suggest it is being used by insiders and that it is the byproduct of a nation-sponsored campaign. 'BlackEnergy 3 exploits an Office 2013 vulnerability that was patched some time ago, so it only works if the target machine isn't patched or an employee (either deliberately or after being tricked into it) executes the malicious Excel document,' writes CSO's Steve Ragan.

51 comments

  1. To all the idiots ... by Billly+Gates · · Score: 2

    ... Who turn off Windows update. All I can say is told you so.

    --
    http://saveie6.com/
    1. Re:To all the idiots ... by Gravis+Zero · · Score: 4, Insightful

      Turning off Windows Update puts you are grave risk of malware infection. Turning it on makes it a certainty. The only winning move is not to play. Use Linux. :)

      --
      Anons need not reply. Questions end with a question mark.
    2. Re:To all the idiots ... by rtb61 · · Score: 3, Insightful

      I assume you meant https://www.libreoffice.org/ Libre Office rather than Linux although subtlety in there no M$ Office on Linux of course, although in this case you could call it M$ 'open' Orifice, eww, that's bad ;).

      --
      Chaos - everything, everywhere, everywhen
    3. Re:To all the idiots ... by Gravis+Zero · · Score: 0

      I assume you meant https://www.libreoffice.org/ Libre Office rather than Linux

      you assumed incorrectly but it may have to do with your apparent illiteracy. :)

      --
      Anons need not reply. Questions end with a question mark.
    4. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      Windows Update is pretty cool as long as you're on Windows 7 and you're willing to keep up with an ever increasing list of KBs to deny. There are only about two dozen telemetry updates now, easy peasy for everyone to handle. You have nothing to fear, really, Microsoft has your best interests in mind. NSA isn't involved with Windows 10 at all, the US government won't have any records of what you're doing. There are no keyloggers in Windows 10, and it doesn't hash your files and transmit the results to headquarters to be compared against known pirated software. If you upgrade to Windows 10, your experience will improMICROSOFT IS INSERTING PROBES INTO MY BELLY BUTTON AND COUNTING THE NUMBER OF CORNS IN MY SHIT

    5. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      All you can say is what, motherfucker? I run Windows just fine, have not had any infection since BLASTER, and I don't do stupid shit on the internet, thus I don't require AV solutions, or a stupid outdated HOSTs file, or NoScript, or an adblocker. Yes, stupid shit includes reading mass media ad-laden garbage like the New York Times. I don't do that.

      Take your smug ass elsewhere unless you've actually got a fucking valid point to make.

    6. Re:To all the idiots ... by Anonymous Coward · · Score: 1

      there no M$ Office on Linux of course

      Wrong. You can use Office 365 on Linux.

    7. Re:To all the idiots ... by antdude · · Score: 1

      Linux can get infections too. The only winning move is not to use computers. ;)

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    8. Re:To all the idiots ... by ChunderDownunder · · Score: 1

      Wine or Android?

    9. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      Sir, language.

    10. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      Well, not everyone wants to be reminded every 10 minutes that they are eligible to update to Windows 10.

    11. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      My install of Windows 7 has been going since 2012, hows that Linux install holding up?

    12. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      Tru dat, plus Libreoffice. Those who use M$ has brought it on themselves.

    13. Re:To all the idiots ... by Zaowulf · · Score: 1

      Thanks for that, Steve Rodgers.

    14. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      Running fine. I have one I know of running since 2006. Had a solaris instance with more than 5K days. Fuck off

    15. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      Turning it on only removes auto execution, not the exploit of the malware.

      And why the hell should it require an acceptance of a new fucking agreement to get a fucking patch? If I refuse, do I get a full refund of the windows licence cost (at the statutory rates since the license is stolen from me)?

    16. Re:To all the idiots ... by Anonymous Coward · · Score: 0

      ... To all those idiots who think M$ updates protect them... If you're going to be a technologist you might consider not sounding like an idiot yourself.

    17. Re:To all the idiots ... by armanox · · Score: 1

      Web version.

      --
      I'm starting to think GNU is the problem with "GNU/Linux" these days.
  2. Using malware to push malware? by Anonymous Coward · · Score: 0

    wow, how leet. Now try it with libreoffice, noobs.

  3. Re:This raises some very interesting questions. by Anonymous Coward · · Score: 1

    1) If I don't want systemd installed on my Linux computer, does that make systemd a form of malware if it is installed?

    No, unwanted software is not malware. If I install Ubuntu but don't want Gnome installed on my computer that does not make Gnome a form of malware.

    2) If systemd prevents a Linux installation from booting properly, does that make systemd a form of malware?

    No, an application that crashes is not malware.

    3) If systemd comes with a Linux distribution, and the distribution's installer does not include a menu for easily choosing an init system other than systemd, is that Linux distribution considered to be infected with malware?

    No, see response to point 1.

  4. BIZX by 110010001000 · · Score: 0

    Now that BizX, Inc has purchased Slashdot, I would like to welcome our new overlords. If you would like to welcome them, you can by contacting the CEO at: Roger Abbott CEO 858.454.5900 ext. 10501 And the President at: Roger Sheppard President 858.454.5900 ext. 20501 As an added bonus, the new overlords are a SEO company.

    1. Re:BIZX by NotInHere · · Score: 1

      Cool, thanks for the news. Google seems to confirm what you say: http://www.streetinsider.com/C...

      Or here as well: http://www.marketwired.com/pre...

      Looking forward to have the same overlords as www.MyRatePlan.com, www.VoipReview.org and www.Voip-Info.org!

    2. Re:BIZX by 110010001000 · · Score: 1

      Did Netcraft confirm it? I heard they bought it for a half bottle of whiskey.

    3. Re:BIZX by NotInHere · · Score: 1

      Google confirms, slashdot is dying. And its google, not netcraft. Google is never wrong.

    4. Re: BIZX by Redmancometh · · Score: 1

      Oh my..an SEO company..if we thought Dice was bad..

  5. Ukraine's critical infrastructure by tetraverse · · Score: 1

    HELLO Ukraine, don't run your critical infrastructure on a malicious Excel document. Microsoft, the company that made typing dangerous.

    1. Re:Ukraine's critical infrastructure by Anonymous Coward · · Score: 0

      You know what the Ukraine is? It's a sitting duck. A road apple. The Ukraine is weak. It's feeble. I think it's time to put the hurt on the Ukraine.

    2. Re:Ukraine's critical infrastructure by Darinbob · · Score: 1

      I for one, would like to welcome our new Putin Jugend overlords.

  6. Re:TRANSLATION by 110010001000 · · Score: 1

    30 million unique visitors? They wish.

  7. Re:TRANSLATION by Dunbal · · Score: 1

    The C:\ prompt is pretty iconic too, but nobody uses it anymore.

    --
    Seven puppies were harmed during the making of this post.
  8. Nation-sponsored campaign? by AHuxley · · Score: 1

    If any nation is using an imported, outdated consumer OS for its critical infrastructure something is strange.
    Open networks that face the internet, commercial OS's and older applications should be replaced with more robust solutions.

    Re "... deployed in NATO countries, and more broadly across the European Union" Would an older vulnerability that might not exist or be updated even be of interest to an advanced nation-sponsored effort?
    The penetration products offered to nations are new, fancy and work on the most modern OS without been found or noticed. AV fails to detect them during their useful operation.
    Other products have been crafted to only go after very bespoke systems and evade traditional logs, tracking, AV or firewalls eg Equation Group.
    The software used by nations is modern and always works ie not hoping to guess that all systems are not updated and access will be lucky.
    What nation would risk all on old code that is of no use and will quickly be discovered hoping for an application or OS version will align with their access?
    Nations can afford to win using the best code that is mission ready that no other party has seen as it is bespoke no matter what new upgrades or commercial security products are in place.
    The "constantly changing attack vectors" is not new. An old consumer OS left open the internet is not a national energy policy.
    Having industrial networks facing the internet is not a great idea.

    --
    Domestic spying is now "Benign Information Gathering"
  9. Re:TRANSLATION by malditaenvidia · · Score: 1

    I'm stuck on Windows NT 4.0, you insensitive clod.

  10. Re: TRANSLATION by guruevi · · Score: 1

    Anyone managing a Windows machine has used DOS, unlike Linux you pretty much cannot manage the damn system without. (I wish I was kidding)

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  11. Re: TRANSLATION by Dutch+Gun · · Score: 1

    I'm not sure how many people are expecting to manage a Linux system using DOS.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  12. Re:This raises some very interesting questions. by Darinbob · · Score: 1

    It depends maybe if the software that's unwanted causes noticeable loss in performance, has unwanted side effects or causes other programs to stop working, etc. The software update may cause more damage than real malware, then the only real difference is intentional versus unintentional harm to your computer.

  13. Re:TRANSLATION by Bite+The+Pillow · · Score: 1

    How do you catch 30 million unique rabbits?

    PAY CMDRTACO 100 KILODOLLARS AND UNIQUE UP ON THEM.

  14. Stupid mods by Anonymous Coward · · Score: 0

    So spam in the Ukraine is SlashDot frontpage material?
    I hope the new management fires you all... maybe we could stop seeing the overhyped, bidaily CSO crap

  15. It's interesting how... by Anonymous Coward · · Score: 1

    ... I no longer feel shocked by reading "microsoft" and "malware/virus" in the same sentence. When you read some news about OS X, or some FUD about Linux, and malware there is room for some banter. But with microsoft it is kind of expected. Isn't it sad that the name of a company is that linked to malware?

  16. Re:This raises some very interesting questions. by parkinglot777 · · Score: 1

    Not really. I should think of using set. Malware is a subset of unwanted software. An unwanted software may or may not have any effect on your computer and/or your info entered or stored via/in the computer but rather occupies spaces in storage. A malware is both unwanted and intend to do something that in turn harm the user and/or computer. However, some malware may have a side effect but its creator doesn't intend to have (e.g. leaves a computer vulnerable and that allows other malwares in).

  17. When is a patch not a patch? by Anonymous Coward · · Score: 0

    'BlackEnergy 3 exploits an Office 2013 vulnerability that was patched some time ago, so it only works if the target machine isn't patched or an employee (either deliberately or after being tricked into it) executes the malicious Excel document,' writes CSO's Steve Ragan.

    A vulnerability that is still present if user behavior allows triggering the payload is NOT PATCHED. It's a workaround, at best.

    1. Re:When is a patch not a patch? by clodney · · Score: 1

      'BlackEnergy 3 exploits an Office 2013 vulnerability that was patched some time ago, so it only works if the target machine isn't patched or an employee (either deliberately or after being tricked into it) executes the malicious Excel document,' writes CSO's Steve Ragan.

      A vulnerability that is still present if user behavior allows triggering the payload is NOT PATCHED. It's a workaround, at best.

      Nonsense. If the user is running as administrator, then the user triggering the payload is perfectly acceptable as far as Windows is concerned, because an admin user is allowed to do whatever they want to the machine. And before you say that it is still MS fault because users need to run as admin - that hasn't been true in years. Some sites still allow users to be admins of their own machines, but that is a policy decision, not something that Windows forces on them.

  18. Re: TRANSLATION by Anonymous Coward · · Score: 0

    Yah, got to install Cygwin at least, else you ain't gonna get far managing anything from DOS.

  19. In Soviet Union .... by Anonymous Coward · · Score: 0

    BlackEnergy malware pushes Microsoft Office!

  20. Easy to block C&C payload servers via hosts by Anonymous Coward · · Score: 0

    0.0.0.0 mail1.auditoriavanzada.info
    0.0.0.0 auditoriavanzada.info
    0.0.0.0 lasvegas-nv-datacenter.com

    (Insert those entries into hosts as they are shown with blocking addresses in front of them 'blackholed' & I obtained them via reverse dns methods...)

    * Which resolves out to 5.149.254.114 on the 1st two listed above (inserted as a firewall rule as well) & 162.246.22.74 (which oddly also points to the 1st two domains also) + 64.235.52.31 for the last one in the list of blocked host-domain names for hosts above!

    (Data obtained from the source article research/disassembly material + tracings PDF file provided & done by the researchers (they're some of the best guys in the world, all of their kind imo, in giving us all this information to protect ourselves...)).

    APK

    P.S.=> My next post? I bet you'll NEVER guess what that'll be about as an "addendum" to this one folks, lol... apk

  21. APK Hosts File Engine 9.0++ SR-4 32/64-bit by Anonymous Coward · · Score: 0

    See subject & for the best custom hosts file http://start64.com/index.php?o...

    -

    FREE, not 'souled-out' to advertisers + adds speed, security & reliability.

    Does far more w/ far less more efficiently vs. browser addons (clarityray blockable, redundant + RAM/CPU wasteful & 'souled-out' crippled by default) & local DNS servers @ home.

    It fixes DNS' security issues & stops tracking @ webpage + DNS levels via 1 file you NATIVELY have!

    (Firewalls do the rest on far less used IP address trackers/threats vs. host-domain names).

    -

    Obtains data vs. threats & adblocking via 10 reputable security community sites - easily edited by you.

    -

    SPEEDS YOU UP 2 ways:

    Adblocking ALL ads + local RAM cached favorite sites @ TOP of hosts for faster resolution vs. remote DNS (aids reliability) vs. other "so-called security 'solutions'" SLOWING YOU!

    -

    All via what you already have vs. illogically "bolting on browser addons 'MOAR'" (clarityray detected/blockable + usermode slow & increased messagepassing, cpu + ram overheads)

    -

    MalwareBytes' hpHosts Admin (MalwareBytes employee verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl...

    &

    MalwareBytes = BEST antivirus per a VERY recent testing of them all http://www.av-test.org/en/news...

    &

    It's safe proven by 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...

    +

    32-bit model https://www.virustotal.com/en/...

    &

    Installer-> http://f.virscan.org/APKHostsF...

    -

    * "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

    APK

    P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

    "The image this title brings to mind is a mighty military commander who can at a mere word summon rank upon rank of protective power" -> https://answers.yahoo.com/ques... & THE WORD = hosts!

    (Accept NO substitutes!)

    ...apk

  22. Global Mother Fucking Spyware? by Anonymous Coward · · Score: 0

    How can you put malware... on malware... that is also spyware and adware already?

    dicks.