Last week’s devastating NotPetya attack might have been launched by the same threat group that previously used the Russia-linked BlackEnergy malware family in attacks against Ukraine, security researchers reveal.
Initially believed to be a ransomware incident employing the same distribution tools as WannaCry, the NotPetya malware eventually proved to be a disk wiper spreading with the sole purpose of damaging infected computers. Similar to WannaCry, NotPetya hit Windows 7 machines the most.
The malware eventually hit systems in more than 65 countries, but most of its victims are located in Ukraine. Of a total of less than 20,000 machines infected by NotPetya (also referred to as PetrWrap, exPetr, GoldenEye, and Diskcoder.C), more than 70% are in Ukraine, Microsoft says.
Late last week, security researchers also discovered the reason why Ukraine was hit the most: the attack was apparently launched by the same threat group that initiated numerous other attacks against the country’s power grid, mining and railway systems, and Ukrainian government organizations.
Dubbed TeleBots, the group was previously referred to as BlackEnergy or Sandworm Team. One of the tools associated with it is the KillDisk wiper that was packing ransomware capabilities in recent attacks, and which demanded a 222 Bitcoin ransom from its victims.
The NotPetya sample used in last week’s attack includes a series of similarities with the BlackEnergy and KillDisk malware families, Kaspersky Lab and ESET security researchers have discovered.
The list of targeted file extensions in NotPetya shows similarities to the list in a wiper the group was using in 2015, Kaspersky Lab reveals. The lists are similar in composition and formatting (stored in the same dot-separated formats), which suggests a possible link, the security researchers say.
According to Kaspersky, a Yara rule they created during analysis “fires on BlackEnergy and ExPetr samples only” when run on the company’s extensive malware collection. The strings used to create the rule can generate false positives when used alone, but “when combined together in this fashion, they become very precise,” the researchers say.
“Of course, this should not be considered a sign of a definitive link, but it does point to certain code design similarities between these malware families,” Kaspersky says.
ESET, on the other hand, appears more confident of the connection between TeleBots and NotPetya, and even suggests that this was the third major attack the group launched this year against Ukraine.
The first, they say, was launched in March and had as final payload a ransomware family detected as Filecoder.NKH. Tools used in the attack included the Python/TeleBot.A backdoor, a heavily obfuscated VBS backdoor, CredRaptor (password stealer), Plainpwd (modified Mimikatz to recover Windows credentials), and SysInternals’ PsExec (used for lateral movement). A Linux ransomware was used on non-Windows servers.
In late May, the group launched a second large ransomware attack against Ukraine, this time using a piece of malware known as XData (detected as Filecoder.AESNI.C). Five days into the attack, and 96% of the malware’s detections were in Ukraine, ESET was reporting on May 23.
The ransomware also packed code that allowed it to automatically move laterally within compromised networks: it featured an embedded Mimikatz DLL to extract Windows credentials, as well as SysInternals’ PsExec utility for spreading.
One month later, the group launched a third, more sophisticated ransomware attack against organizations in Ukraine. Borrowing code from last year’s Petya ransomware, the actors created a wiper and started using NSA-linked SMB exploits to maximize spreading capabilities.
“However, unlike the original Petya ransomware, Diskcoder.C’s authors modified the MBR code in such a way that recovery won’t be possible. Specifically, the attacker cannot provide a decryption key and the decryption key cannot be typed in the ransom screen, because the generated key contains non-acceptable characters,” ESET explains.
The initial infection vector in the NotPetya incident was the Ukrainian accounting software called MEDoc, the same as in the case of the XData attack. For the March attack, the group compromised another software company in Ukraine (not related to M.E. Doc), and gained access to the internal networks of several financial institutions using VPN tunnels.
“[The] Diskcoder.C outbreak suggests that the attackers had access to the update server of the legitimate software. Using access to this server, attackers pushed a malicious update that was applied automatically without user interaction. That’s why so many systems in Ukraine were affected by this attack,” ESET notes.
The security researchers also believe that M.E.Doc’s server, where they discovered a malicious PHP backdoor medoc_online.php in a FTP directory, might have been used as infection vector for other malware as well. Using malicious updates, the group supposedly deployed their own nefarious tools “in a stealthy way to computer networks that belong to high-value targets.”