Connect with us

Hi, what are you looking for?



Exaramel Malware Reinforces Link Between Industroyer and NotPetya

A new piece of malware discovered a few months ago by researchers at ESET provides more evidence that Industroyer (aka Crashoverride) is linked to the NotPetya wiper.

A new piece of malware discovered a few months ago by researchers at ESET provides more evidence that Industroyer (aka Crashoverride) is linked to the NotPetya wiper.

Industroyer is a piece of ICS-focused malware that was used by threat actors in the December 2016 attack aimed at an electrical substation in Ukraine, which resulted in significant power outages.

Experts have found links between this attack and various threat groups believed to be operating out of Russia, including BlackEnergy, TeleBots, Sandworm, and Electrum. The campaigns attributed to BlackEnergy, TeleBots, Sandworm, and Electrum could have been carried out by one or multiple groups, but overlaps in code, infrastructure and targeting have often made it difficult to make a clear distinction between their activities.

NotPetya — initially believed to be a piece of ransomware and later proven to be a wiper — has also been linked by researchers to BlackEnergy and KillDisk malware, which had been used in the 2015 attacks on Ukraine’s energy sector.

While there are several pieces of evidence that support the theory of a connection between NotPetya and BlackEnergy, the link between Industroyer and the Russian groups is mainly based on components that are similar in concept rather than actual code similarities.

However, a new piece of malware uncovered by ESET in April 2018, tracked by the company as Exaramel, provides stronger evidence of a connection between Industroyer and TeleBots.

Exaramel, which ESET has classified as a backdoor, is delivered by a dropper. The configuration data written by the dropper in the Windows registry includes the security solution used on the compromised system, which reminds of Industroyer.

Once executed, the backdoor can allow the attackers to launch processes, write data to a file, upload files, execute shell commands, and run VBS code. Researchers have found significant similarities in the code implementing some of the commands in Exaramel and a backdoor from the Industroyer toolset.

Advertisement. Scroll to continue reading.

Another similarity is related to the fact that both Exaramel and the Industroyer backdoor use a report file to store the output of executed shell commands and processes.

According to ESET, the main difference between Exaramel and Industroyer is that the former uses the XML format for communication and configuration instead of a custom binary format. Anton Cherepanov, senior malware researcher at ESET, told SecurityWeek that the main advantage of using XML is that it’s much easier to implement code that would use this format.

Cherepanov noted that while there are some other differences between these pieces of malware, they are not that different from a high level perspective.

The expert told SecurityWeek that ESET has only seen one attack involving Exaramel — aimed at an organization in Ukraine. It’s interesting to note that the target was not an industrial facility.

Industrial cybersecurity firm Dragos revealed earlier this year that the threat group behind Industroyer, which it tracks as Electrum, had started targeting entities outside of Ukraine, including organizations in the water and electric sectors.

ESET has identified two samples of the Exaramel backdoor, along with various other tools used by the attackers. Some of these tools have been seen in previous attacks launched by TeleBots, including a modified version of Mimikatz and a custom password stealer named CredRaptor. During incident response, ESET also uncovered a Linux backdoor, which the company tracks as Linux/Exaramel.A.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely,” ESET said in a blog post published on Thursday.

Exaramel provides evidence in support of link between Industroyer and NotPetya

ESET also noted that the attackers had started using domain names that appeared to be related to the security firm. This was most likely done in an effort to hide malicious traffic.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...