At the Virus Bulletin conference last month held in Seattle, ESET Researchers presented their research on BlackEnergy trojan that has evolved into a malicious tool designed for espionage in Ukraine and Poland. A new blogpost from Robert Lipovsky on WeLiveSecurity.com reveals more about the 0-day vulnerability in Microsoft PowerPoint used by this malware to infect its victims.
“In the August 2014 campaigns, a number of potential victims have received spear-phishing emails. The text of the e-mail was written to grab the recipients’ attention and mentioned rebels in the East of Ukraine,” explains Lipovsky.
Victims received a suspicious email with a malicious PowerPoint file and were led to open the attachment. After the victim clicked on the attachment a name list in Ukrainian was displayed. In the background two files were automatically downloaded from an untrustworthy network location. The file masked as a .gif was not an image but a BlackEnergy Lite dropper and the other file was used to launch it as an executable.
“Functionally similar exploits have been known since at least 2012 but have not been widely abused. After seeing this one actively used by malware in-the-wild, ESET has reported it to Microsoft on September 2nd, 2014. Now that the vulnerability has been recognized as CVE-2014-4114 and Microsoft created a patch for it, we strongly encourage all users to close this infection vector by updating as soon as possible," concludes Lipovsky.
BlackEnergy was first publicly analyzed by Arbor Networks in 2007 as a relatively simple DDoS trojan. From that time it evolved into a modern type of malware with modular architecture suitable for sending spam and committing online banking frauds. The second version of this dangerous malware was first documented by Secure Works in 2010.
For more information on the BlackEnergy trojan by Robert Lipovsky, read an article on WeLiveSecurity.com or follow #BlackEnergy on Twitter.