Analysis of a new backdoor program allowed malware researchers to establish clear links between the cyberattacks that led to power outages in Ukraine in 2015 and 2016 and the NotPetya ransomware outbreak.
The new backdoor is called Exaramel and is used by a Russian APT group known as Sandworm or TeleBots, which has been operating for many years and is known for targeting energy utilities with a malware program called BlackEnergy.
The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) first issued an alert about BlackEnergy in 2014 and in December 2015 the malware was used in an attack against power distribution stations in Ukraine, leading to blackouts that affected more than 200,000 people.
A year later, in December 2016, another cyberattack hit Ukraine’s power grid, leading to new blackouts in Kiev, the country’s capital. That attack didn’t use BlackEnergy but a new malware framework researchers have dubbed Industroyer or Crashoverride.
Sandworm’s attacks over the years have not been limited to energy utilities. The group has targeted high-value targets across many industry sectors, in Ukraine and beyond, including government officials from EU and NATO countries.
The group is also believed to be responsible for NotPetya, the 2017 global ransomware outbreak that started in Ukraine and ended up disrupting the operations of major companies around the world.
Even though some security companies previously found some links between the 2016 Industroyer attack and TeleBots/Sandworm, no hard evidence was ever uncovered, until now.
According to a new report by researchers from ESET, Sandworm’s new Exaramel backdoor was found in April inside the network of a non-industrial organization in Ukraine and bears strong code similarities to Industroyer.
“Our analysis suggests that this TeleBots’ backdoor is an improved version of the main Industroyer backdoor,” the ESET researchers said.
“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy,” the researchers said. “While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”
ESET found two versions of Exaramel, one for Windows and one for Linux. The Windows version creates a service called “Windows Check AV” and is grouping targets based on the security solutions they use, a behavior that has also been observed in Industroyer.
After it’s installed, the backdoor connects to a command-and-control server and receives commands. It has the ability to launch processes under specific Windows users, to write and exfiltrate files and to execute shell commands and VBS code.
“The code of the command loop and implementations of the first six commands are very similar to those found in a backdoor used in the Industroyer toolset,” the ESET researchers said.
Exaramel is used by attackers to deploy additional tools, including a password-stealing program associated with TeleBots called CredRaptor or PAI and a modified version of Mimikatz, an open source tool for stealing Windows credentials.
The new version of CredRaptor deployed by Exaramel is capable of stealing passwords stored inside browsers, Outlook and many FTP clients.
“This improvement allows attackers to collect webmaster’s credentials for websites and credentials for servers in internal infrastructure,” the researchers said. “Once access to such servers is obtained, attackers could plant additional backdoors there.”
One such backdoors is the Linux version of Exaramel, which is written in the Go programming language and is compiled as a 64-bit ELF binary. Like the Windows version, Linux/Exaramel.A can upload and download files to and from a command-and-control server and can execute shell commands.
Exaramel is evidence that the Sandworm group continues its activities, alongside other Russian APT groups including Fancy Bear (APT28) and Turla, and is improving its toolset despite the attention it received following the high-profile attacks attributed to it.