Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Use Word Docs to Deliver BlackEnergy Malware

The advanced persistent threat (APT) actor behind the recent attacks targeting Ukraine has started delivering BlackEnergy malware using specially crafted Word documents with embedded macros.

The advanced persistent threat (APT) actor behind the recent attacks targeting Ukraine has started delivering BlackEnergy malware using specially crafted Word documents with embedded macros.

BlackEnergy malware, which is leveraged by one or multiple groups, has become increasingly sophisticated and its operators have been using it to target energy and ICS/SCADA companies from across the world. A recent campaign involving BlackEnergy malware has been seen targeting Ukraine’s critical infrastructure.

A coordinated attack launched against the country’s energy sector in December resulted in power outages in the Ivano-Frankivsk region. Investigators found BlackEnergy malware on infected systems, along with a destructive plugin known as KillDisk that is designed to delete data and make systems inoperable. However, experts believe the malware is not directly responsible for the outages, and instead it only helped attackers cover their tracks and make it more difficult to restore service.

Ukrainian security firm Cys Centrum reported last year that the attackers had leveraged PowerPoint presentations to deliver the malware. In mid-2015, threat actors started using specially crafted Excel spreadsheets with embedded macros to drop the Trojan onto targeted systems.

Kaspersky Lab reported on Thursday that attackers recently started attaching malicious Microsoft Word documents to their spear phishing emails. ICS-CERT, which has been assisting CERT Ukraine in investigating the recent attacks, has confirmed the use of malicious Word documents.

A document sample was uploaded to an online scanner service on January 20 and a relatively low number of security products flagged it as a threat. The document in question referenced Ukrainian far-right nationalist political party Right Sector (Pravyi Sektor).

When the document is opened, the user is warned that macros have been disabled for security reasons. The malicious macro can only be executed if the victim clicks the “Enable Content” button in the document.

Microsoft disabled macros by default several years ago specifically because malicious actors started abusing the feature to deliver malware. However, threat actors have not given up on the technique and in many cases they’ve tricked users into enabling the feature by claiming that it’s needed to view content.

If macros are enabled, an executable file named “vba_macro.exe” is created and written to the disk. This executable is a BlackEnergy dropper designed to drop and run the final payload, Kaspersky said.

Security firm SentinelOne published a report on Wednesday detailing the use of Microsoft Office documents and macros in BlackEnergy attacks. The company concluded that internal actors might have helped BlackEnergy attackers, especially in operations aimed at SCADA systems.

SentinelOne, whose research focused on Excel spreadsheets, pointed out that macros embedded in documents can be executed either by getting the user to enable macros or by leveraging an Object Linking and Embedding (OLE) vulnerability in Office (CVE-2014-4114) that was patched by Microsoft in October 2014.

BlackEnergy Infected Document Screenshot

“The only two options then to carry out the attack is – target a victim’s machine that was not patched, or get an internal employee to either accidentally or deliberately execute the infected Excel documents causing the malware to propagate inside the network. At this point it would be highly unlikely that organizations have not deployed the patch against CVE-2014-4114, thus the most likely conclusion is use of an internal actor,” SentinelOne said in its report.

Udi Shamir, Chief Security Officer at SentinelOne told SecurityWeek that a new attack targeting a Ukranian power facility was just detected on Tuesday, but was unable to provide specific details, other than saying the attack vector appears to the be the same variant analyzed in this report.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.