New malware targeting energy grid actively evades security measures

Nation state attackers believed to be behind the 'sophisticated' malware targeting utilities

New malware, which security researchers say was most likely crafted by nation-state attackers, has been identified on the network of a European energy company.

The malware was possibly released in May, and was written to bypass traditional anti-virus software and next-generation firewalls. It also uses anti-sandboxing techniques intended to hamper analysis. Security sandboxing software, such as GFI and Joe Sandbox, will not therefore reveal the malware's full functionality in analysis.

"The [malware] sample appears to be targeting facilities that not only have software security in place, but physical security as well. ZKTeco is a global manufacturer of access control systems, including facial recognition, fingerprint scanners and RFID. If the sample is run on a workstation with ZKTeco's ZKAccess software installed, the process will prematurely terminate.

"These systems would be heavily scrutinised by their administrators, and an infection on one of these machines would likely not go unnoticed," suggest the researchers, Joseph Landry and Udi Shamir of security software and services company SentinelOne, who uncovered the malware.

"It exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources."

The malware takes advantage of two known exploits, CVE-2014-4113 and CVE-2015-1701, as well as one Windows user-account control (UAC) bypass.

The developers appear to have an intimate understanding of both Windows and low-level APIs and systems calls, some of which are undocumented or barely documented and can change from version to version of Windows. "To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit, and also reverse-engineered portions of the Windows operating system," said the researchers.

"The use of indirect subroutine calls make manual static analysis nearly impossible, and manual dynamic analysis painful and slow... The main goal of the sample analysed is to run its final payload after silently removing a number of anti-virus products."

After analysing a targeted systems for security software, it first tries to remove any anti-virus software before running its final payload. To accomplish this goal, the sample must be run as administrator, using the two local privilege escalation exploits as well as the UAC bypass.

Once that is achieved, it writes the payload to disk: "The sample now writes its Native Application binary to disk. Unlike regular application code, this binary can only link to ntdll.dll. It will run at a point in the boot-up process where some Windows subsystems are not yet initialised and, therefore, cannot call into normal DLLs like kernel32.dll and user32.dll.

"This native application is hidden in an NTFS alternative data stream (ADS) at the path C:\Windows\Temp:1. By using ADS, the file will not be visible by normal file browsers, like explorer.exe. The native application is registered to run on boot-up altering the values SetupExecute and BootExecute in the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\\.

"To ensure the success of the Native Application, the sample will remove all filter drivers from running after reboot by removing their associated registry entries. Filter drivers are used by anti-virus software to intercept file and network access to run static detection on the contents of the traffic. These drivers are loaded early in the boot process, and could interfere with the execution of the Native Application.

"The system is now forced to reboot, allowing the Native Application to run. The Native Application also has similar checks to tell if it is running in a sandbox, and will terminate prematurely when one is detected."

While SentinalOne was not willing to compromise the identity of its client, it is known that Ukrainian power companies were targeted in malware attacks recently that are believed to have come from Russia.