Hackers spoofed energy firm Energoatom to distribute malware

Cybercriminal attackers initiated a new multi-staged attack that leverages a compromised document disguised as Energoatom. The hidden entity is a Ukrainian state enterprise that manages four nuclear power plants.

Based on reports, the campaign utilises the Havoc command-and-control framework and an open-source toolkit to deliver several payloads in multiple stages.

 

The threat actors who impersonated Energoatom used an image archive to disseminate their malicious documents.

 

According to investigations, the Energoatom attackers used an ISP image archive with the same name as the targeted entity to deliver the malicious document. The attackers have instructed the document users to enable Word’s macro code execution to open the document.

The overlay image will disappear and display a list of people authorised to receive protective equipment once the users enable the macro. Several malicious activities will also run in the background once the document’s macro script is successfully run.

The malware will also review for the existence of the file OfficeTelemetry[.]dll at a particular path on the system. Hence, following stage payloads will arrive if the [.]dll exists. After reviewing, the malicious file will appear as a DLL but is now a standalone executable archive.

The file will then locate a compressed payload in memory after execution. Next, it will perform further cleanup tasks to acquire another payload and run it via ShellExecute. The second stage contains shellcode with attached Havoc command-and-control agent DLL. The shellcode then searches for the payload in memory and calls the KaynLdr loader.

KaynLdr will then load the Havoc Demon agent that contacts the C2 server for further actions from the hackers. Several layers of obfuscation tools are observed to protect the entire code. Lastly, the attackers will use VBA codes in the macro, compromising several interesting techniques to complicate threat analysis.

The threat actors leveraging multiple creative methods to obfuscate the primary payload code and to evade security solutions imply that malware developers could acquire more time to achieve post-exploitation activities. Finally, the actors’ utilisation of the Havoc framework allows them to keep the threat analysts at bay.

Cybersecurity experts recommend that users adopt a proactive approach, such as the threat intel platform, to stay protected against these attacks.