Researchers have found links between the BlackEnergy APT group and threat actors behind the ExPetr malware used in last month’s global attacks. According to researchers at Kaspersky Lab, there are strong similarities between older versions of BlackEnergy’s KillDisk ransomware compared to ExPetr code.
Parallels were first identified in targeted extensions used by both BlackEnergy and ExPetr, researchers said. Kaspersky Lab, working in tandem with researchers from Palo Alto Networks, said they “focused on the similar extensions list and the code responsible for parsing the file system for encryption or wiping.”
“Together, we tried to build a list of features that we could use to make a YARA rule to detect both ExPetr and BlackEnergy wipers,” wrote researchers with Kaspersky Lab’s Global Research and Analysis Team in a post published late Friday. YARA is a forensics tool used to examine disparate files and directories and find signature-based similarities.
“We took the results of automated code comparisons and paired them down to a signature that perfectly fit the mould of both in the hope of unearthing similarities. What we came up with is a combination of generic code and interesting strings that we put together into a cohesive rule to single out both BlackEnergy KillDisk components and ExPetr samples,” wrote researchers.
That careful examination of code used by BlackEnergy in its KillDisk ransomware and ExPetr wiper malware yielded “low confidence” similarities. However, when examined as part of a larger YARA rule similarities become very precise, researchers said.
“Of course, this should not be considered a sign of a definitive link, but it does point to certain code design similarities between these malware families,” they wrote.
The research could prove beneficial at determining who the threat actors behind ExPetr, the wiper malware that sabotaged thousands of PCs, are.
The BlackEnergy APT group has long been known to use zero days, destructive tools and malicious code targeting industrial control systems. It was behind the 2015 attack against a Ukraine power grid and a string of similar destructive attacks that have targeted that country over the past several years.
Over the last several days ExPetr has been likened to wiper malware and not ransomware, as it was initially widely thought to be. While the malware has a ransomware component, ExPetr cannot decrypt victims’ disk, even if a payment was made.
“You can’t call an attack, with no possible way of decrypting files, a ransomware attack,” said Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab, in an webinar with Comae Technologies’ Matt Suiche last week.
Similar research by ESET also found links between ExPetr and BlackEnergy. According to ESET, a group with ties to BlackEnergy called TeleBots was behind the ExPetr outbreak. It said the KillDisk encryption component of the ExPetr malware is a hallmark of of the TeleBots group. “In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks,” they wrote.